Industry News

Mathematician Impersonates Google Founder to Point Out DKIM Flaw

An American mathematician impersonated Google founder Sergey Brin to point out a vulnerability in the company’s DomainKeys Identified Mail, a cryptographic key that domains use to sign e-mails and validate them to recipients, according to media reports.

The discovery came up after 35-year old Zach Harris received a strange e-mail from a Google headhunter who offered him a job as a site-reliability engineer.

“You obviously have a passion for Linux and programming,” the alleged Google recruiter said. “I wanted to see if you are open to confidentially exploring opportunities with Google?”

Because he didn’t think he was the ideal Google candidate, Harris was intrigued, and discovered the search giant was only using a 512-bit key, half  what the DKIM standard calls for. The flaw allowed anyone to easily crack the domain by cloud-computing, and impersonate an e-mail sender from Google, including the company’s founders Sergey Brin and Larry Page.

Thinking this could be a recruiting test from Google, Harris thought of playing along and sent an e-mail to Page that looked as if it were coming from Brin.

“I love factoring numbers,” Harris said, as quoted by Forbes. “So I thought this was fun. I really wanted to solve their puzzle and prove I could do it.”

In the e-mail, he promoted his personal website as an interesting “idea still being developed in its infancy.” “I think we should look into whether Google could get involved with this guy in some way. What do you think?” the e-mail signed by “Sergey” read.

The mathematician didn’t get an answer from Google, but soon discovered the company’s cryptographic key had suddenly changed to 2,048 bits.

“I assumed the e-mail got to some influential tech person who looked at it and said, ‘Wait a second, how is this obviously spoofed e-mail getting through?’ And they apparently figured it out on their own,” Harris said.

He also found DKIM vulnerabilities in websites used by PayPal, Yahoo, Amazon, eBay, Apple, Dell, LinkedIn, Twitter, SBCGlobal, US Bank, HP, and HSBC.

About the author


Bianca Stanescu, the fiercest warrior princess in the Bitdefender news palace, is a down-to-earth journalist, who's always on to a cybertrendy story. She's the industry news guru, who'll always keep a close eye on the AV movers and shakers and report their deeds from a fresh new perspective. Proud mother of one, she covers parental control topics, with a view to valiantly cutting a safe path for children through the Internet thicket. She likes to let words and facts speak for themselves.

1 Comment

Click here to post a comment