I came across a an interesting blog post showing how to get the name of a Gmail account. Since the bug was visible through Google Calendars I hoped that it was maybe limited to users who had signed up for Google Calendar. This is not the case. The steps that I followed:
1)Register brand new gmail account with default settings
register new Gmail account
2)Go to google calendars (as a different user) select a calender invite the user to share one of my calendars (click on the down arrow next to your calendar)
choose a calendar to invite the user to share
3)Invite the user
Invite the user to share your calendar
4)Save the changes (note that it indicates the user isn't registered for Google Calendars) & go back
Invite user to Google Calendars
5)See the users name
see the username
Normally I'm all for notifying the company of the problem before public disclosures, but the cat is well out of the bag and having a walk around.
It apparently works regardless of whether the user is signed up for Google Calendars.
For me this isn't much of a problem, I'm incredibly easy to track down and my e-mail address has my name in it, but I know for others this could be quite an unwelcome surprise. Lets hope Google fixes this soon.
With that being said if you don't use google calendar you can see if anyone has used this to find out your name because you will get a google calendar invite.
(note: you can click through for a larger version of any of the images)
Update:This works not only on GMail accounts but also on Google App Domain accounts. Perhaps something for universities considering outsourcing their mail to consider.
Wednesday, July 16, 2008
Gaping hole in Gmail Privacy
Subscribe to:
Post Comments (Atom)
Posts
71 comments:
Hole. Not whole.
Whether. Not weather.
but the cat is. Not but it the cat is
:)
Thanks for the public disclosure, a--hole.
You've been /.ed. I'd advise a quick spell/grammer check 'cause the world is watching. Your 15 minutes has begun (prior to the horde crashing your host server).
disclosures, not disclosers
7 minutes of fame left...
This is nice thanks for the hack
-The man
http://www.worldlydecor.com
worldly Decor
The same thing will happen in google maps.
you come to me one a summer breeze, keep me warm with your love then you softly leave. then its me you need to show how deep is your love. cause we're living in a world of fools, breaking us down.
great! For me to poop on!
"Great! For me to poop on!"
What does that even mean you worthless piece of crap? Why are you posting on the internet you stupid, stupid child.
Hey toby, grammar is spelled with an "a." Don't be so quick to criticize others.
Actually, Grammer/Grammar are the same thing.
Check it in the dictionary.
It's like Color/Colour or Theater/Theatre.
Perhaps we could have some technical comments rather than personal quips.
Thank you for bringing this to the world's attention. I hope Google fix it soon.
http://www.thefreedictionary.com/dict.asp?Word=Grammer
gram´mer (grăm´mẽr)
n. 1. Grammar; - a common misspelling.
Webster's Revised Unabridged Dictionary, published 1913 by C. & G. Merriam Co.
or jail/gaol
fucking blog sucks!
I would appreciate it if you would have notified Google first and allowed them to close the hole before public disclosure.
After the hole is closed, you can still present screenshots or even a video taken prior to the issue being fixed.
PEEEEEEENIIIIIIIIIS SNOOSHAU I SEE!
SnooPING AS usual I see.
PINGAS
Heh heh! Oh, boy! Penis! MENIS FENIS BENIS GENIS DENIS DENNIS DENNACE Yeeeeeeeeahhhhhhhhh MAN-DENIS.
I'd like to say sorry for the previous post. I had meant to post that anonymously, but I forgot to. It was all meant in good nature, I mean, since you've been posted on slashdot. No offense was meant.
HAHAHAHA OP HERE DISREGARD THAT I SUCK COCKS
Looks like Google employees read slashdot or monitor every Blogger post. At least they haven't disabled your account.
I would appreciate it if you would have notified Google first and allowed them to close the hole before public disclosure. ---
I would appreciate it if SHUT THE FUCK UP, GTFO and kill yourself.
pwt fkwit! you tried to show how leet you were and got fked on for it. this is a lesson to all tools out there like you - don't blog about exploits, use them.
Webster's Revised Unabridged Dictionary, published 1913
...wow, your choice of definition is fresh like a month old carton of milk left in the sun...
btw: I am posting anonymously because I'm assuming my Blogger ID would give the same info away
Wow the server is still online? After being /.ed? Amazing! This loophole is pretty neat. Makes me wonder what other companies out there has this type of glitch.
Nick Coblentz, Security PS , your a pompus prick. go and jerk yourself off.
he said it was already disclosed.
NEED HELP; PLZ REPLY!!!
I AM TRYNG TO GET A GMAIL EMAIL ACCOUNT!
PLZ SNED INFO! CALENDAR@PENISPILLS.COM
PLZ HLP!!!!!!!!!!!!!!!
THANK YOU!!!!!!!!!!!!!!!
FIRST POST
Big PENIS.
ROFLMAO
Simple minds are easily amused..
I see someone is bent out of shape that the only hack they knew, has now become public.
Lay off the kid, its not like this is grammer class. Its a blog, and your annoying..
[b]SCIENTOLOGY IS A DANGEROUS CULT[/b]
___ ____ _ _ _ ____ _
/ o \ / __\ / \ / \ / \ / ___\ / \
| __/ | |__ | \ | | | | \ \ | |
| | | ___\ | \| | | | \ \ \_/
| | | |__ | |\ | | | | _\ \ _
\_/ \____\ \_/ \__/ \_/ /____\ \_\
I take it none of you read 2600 then <.grin.>
Bohrstein, do a quick google next time or use a dictionary yourself:
http://en.wiktionary.org/wiki/grammer
If you can't click on the link here's a quote:
"Common misspelling of grammar"
all your names are owned by us
This may help:
http://how-to-spell-its.com
This may help more:
http://www.detroithardcore.com/lensman.jpg
Yahoo resolved this one at least a year ago when the started introducing aliases, allowing users to be identified by a 'nice' name, rather than an ugly email address like mikelondon24456.
this isn't much of an exploit for people with emails addresses like michael.bolton@gmail.com
These comments are hilarious. Half a discussion on typos then the spelling of grammar!
http://www.detroithardcore.com/lensman.jpg
so THATS what the gaping hole in gmail looks like...
@dennacematthews:
Hahaha! Caught by your own foolishness, and then caught making lame excuses.
Posting anonymously wouldn't have changed anything 'cept for the name above the post, do you realize that? You still choose to trash a place on the internet instead of writing something beautiful. You could better take responsibility for you writing all times even posting anonymously... because you want to do the right thing and make this world a better place, aye?
Also, you cannot blame slashdot for *your* actions...! Just because slashdot links to a page doesnt mean you have to trash it with immature crap like that. What's you're logic anyways? Slashdot is an immature site posting about penises and now i have to do the same? What?
OK - I'm on this spelling/gramm*A*r police bandwagon.
Lets / Let's (contraction of "Let us).
Facebook also does this, and doesnt even email the person involved.
Go to the site, do a search for an email address. If that finds someone you will get their name and picture if available.
Just because is not a valid argument.
;-)
dennacematthews... XD self-0wned XDDDD
are you a member of the 'special people club'? sure! XD
interesting. I'll have to give it a try and see what comes out of it.
this is hardly an issue, in fact it's not an issue at all.
The name that comes up is the same name that is sent with every email a person sends from their gmail account.
This is not secret information.
I wouldn't worry about it too much. Google has a very good spam gaurd.
I hope Google solves it soon :)
I'd worry about protecting my email address. How do I care if the spam is personalized? I care if it is sent to me. It's not like I'm going to read it and be likely to buy V14Gr4 if they use my name.
It's hardly a gaping hole. Did you read the comments on the blog post that you quoted from?
It does *not* show the first and last name of the user; it shows the identifying text that the user has chosen to display next his email address in the "From" line of emails, which happens to be the first and last name for many people, but can be changed to whatever the user wants.
If the user has ever emailed a publicly-archived mailing list, then this information is already out in the public.
The only hole here is that, before, the user only gave out this info when he sent an email and, now, someone else can get the info without the user intentionally sending an email. But this request will cause an email notification to be sent to the user -- so it can't used to secretly get someone's identifier.
So ... what are we worried about?
Yes, Google should leave the email address as is when sending invites. This way they can prevent angry users whinning about small features like these.
But still it was fun to know this, thanks for the post!
Though I'm a little bit sad for most of the comments up there. :(
http://www.wsu.edu/~brians/errors/grammer.html
It’s amazing how many people write to thank me for helping them with their “grammer.” It’s “grammar.” The word is often incorrectly used to label patterns of spelling and usage that have nothing to do with the structure of language, the proper subject of grammar in the most conservative sense. Not all bad writing is due to bad grammar.
anonymous is the best !!!
jaja
Get bent, you're all lame.
and you're an egg lamer !!
It would be great if I could slap each and every individual for their own stupidity on this blogs. postings. I came to this biog. due to the discovery of yet another privacy issue branching from a large service; Gmail. It did not matter to me that the individual bringing the privacy issue to our attention was bad in grammar. In fact, I did not even notice it until I read your lame posts. It is each of you (grammar posts) whom diverted the attention from the privacy issues to one’s grammar. You are truly fools. Limited in Brain Matter - Fools. So here is a slap coming your way.....
I remember when facebook opened up, you could sql injection into anybody's account. :) the good ol' days.
I remember when facebook opened up, you could sql injection into anybody's account. :) the good ol' days.
I remember when facebook opened up, you could sql injection into anybody's account. :) the good ol' days.
ping
pong?
Good find, thanks for the POC.
Free shipping overnight.
order viagra
discount viagra
cheap cialis
buy levitra online viagra
low cost viagra
I am not able to logout of my ymail account as there is no logout button/link on the page
Post a Comment