Google has issued a warning to Iranian users of its Gmail system in the aftermath of a digital certificate hack, which could have allowed a hacker to mimic Google’s email system in Iran.
“While Google’s internal systems were not compromised, we are directly contacting possibly affected users and providing similar information below because our top priority is to protect the privacy and security of our users,” Eric Grosse, vice president of security engineering at Google, wrote in a blog post.
The issue, which stems from a security lapse at Dutch digital security firm DigiNotar, is thought to affect an estimated 300,000 Gmail users in Iran. The fear is that the hacker will now be able to trick Iranian Gmail users into visiting a spoofed version of the Google site and thus gain access to users’ accounts.
Google advised its Iranian Gmail users to change their passwords, update their account recovery information and delete any suspicious forwarding addresses as well applications that can access their accounts.
The Iranian perpetrator, who calls himself “Comodohacker” and says he is a 21—year—old software engineering student who revers Ayatollah Ali Khameni, also claims to have stolen certificates for 531 sites — including Facebook, Skype, Mozilla, Microsoft, Yahoo, Android and Twitter, as well as domains belonging to the CIA and Israel’s Mossad, according to Security News Daily.
The theft of the digital certificates, which are meant to guarantee that websites are genuine, has exposed a huge flaw in the fundamental precepts of internet security, researchers say.
Though all the major browser makers have already revoked digital certificates issued by DigiNotar, it’s possible that other companies issuing digital certificates have also been compromised, with the hack remaining undetected.
In an email interview with the New York Times Monday, the purported DigiNotar hacker said that he was acting alone, but hinted that he gave his information to the Iranian government.
“I’m totally independent,” he said. “I just share my findings with some people in Iran. They are free to do anything they want with my findings and things I share with them, but I’m not responsible.”
“My country should have control over Google, Skype, Yahoo, etc,” he added. “I’m breaking all encryption algorithms and giving power to my country to control all of them.”