Mathematician Zachary Harris got an email from a headhunter at Google with a job offer. Assuming it was a phishing attempt of some kind, he checked the email headers and discovered it appeared to be from someone in Google. But as he looked, he noticed that Google was using a weak DKIM (DomainKeys Identified Mail) cryptographic key. DKIM is a method for allowing mail recipients to confirm an email comes from the person it claims to have come from. Google was using a 512-bit key instead of the minimum 1024-bit. Harris was able to crack it and sent an email that appeared to be from Google’s Sergey Brin to Larry Page. Google quickly discovered the issue and fixed their key issue.
But the story isn’t over, lots of other major sites have the same problem, making it easy for someone to spoof emails from major sites like eBay, Yahoo, Twitter, Amazon, PayPal, LinkedIn, US Bank and HSBC. Keep yourself safe and never click on a link in an email. Type the site address into your browser instead.
This work, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.
