According to Hafif, he found that by tweaking the URL of a webpage that is shown when a user to declined delegated access to another user’s account, it will instead show him the email address of someone else. Through this exploit and a piece of software called DirBuster, Hafif managed to collect around 37,000 Gmail address in a matter of hours. Hafif claims that had he wanted to truly exploit this flaw, he could have had the email addresses of every single Gmail user in a matter of days/weeks.
Now before you start to freak out, you can rest easy knowing that Hafif has since worked with Google to fix the bug, although he did note that it took Google about a month after his report to fix the bug. He also claimed that Google was initially reluctant to pay him his bounty for discovering the bug, but later relented when they sent $500 his way, which is almost like a pittance considering that Google has paid out tens of thousands of dollars in the past.
However like we said, this bug has been in existence for a while now, so it is unclear if other hackers might have abused it and collected email addresses and other personal information in the past, but for now it appears that we are safe.