Mathematician Impersonates Google Founder to Point Out DKIM Flaw

An American mathematician impersonated Google founder Sergey Brin to point out a vulnerability in the company`s DomainKeys Identified Mail, a cryptographic key that domains use to sign e-mails and validate them to recipients, according to media reports.

The discovery came up after 35-year old Zach Harris received a strange e-mail from a Google headhunter who offered him a job as a site-reliability engineer.

“You obviously have a passion for Linux and programming,” the alleged Google recruiter said. “I wanted to see if you are open to confidentially exploring opportunities with Google?”

Because he didn`t think he was the ideal Google candidate, Harris was intrigued, and discovered the search giant was only using a 512-bit key, half what the DKIM standard calls for. The flaw allowed anyone to easily crack the domain by cloud-computing, and impersonate an e-mail sender from Google, including the company`s founders Sergey Brin and Larry Page.

Thinking this could be a recruiting test from Google, Harris thought of playing along and sent an e-mail to Page that looked as if it were coming from Brin.

“I love factoring numbers,” Harris said, as quoted by Forbes. “So I thought this was fun. I really wanted to solve their puzzle and prove I could do it.”

In the e-mail, he promoted his personal website as an interesting “idea still being developed in its infancy.” “I think we should look into whether Google could get involved with this guy in some way. What do you think?” the e-mail signed by “Sergey” read.

The mathematician didn`t get an answer from Google, but soon discovered the company`s cryptographic key had suddenly changed to 2,048 bits.

“I assumed the e-mail got to some influential tech person who looked at it and said, ËœWait a second, how is this obviously spoofed e-mail getting through?` And they apparently figured it out on their own,” Harris said.

He also found DKIM vulnerabilities in websites used by PayPal, Yahoo, Amazon, eBay, Apple, Dell, LinkedIn, Twitter, SBCGlobal, US Bank, HP, Match.com and HSBC.