Wednesday, July 16, 2008

Gaping hole in Gmail Privacy

I came across a an interesting blog post showing how to get the name of a Gmail account. Since the bug was visible through Google Calendars I hoped that it was maybe limited to users who had signed up for Google Calendar. This is not the case. The steps that I followed:
1)Register brand new gmail account with default settings

register new Gmail account

2)Go to google calendars (as a different user) select a calender invite the user to share one of my calendars (click on the down arrow next to your calendar)

choose a calendar to invite the user to share

3)Invite the user

Invite the user to share your calendar

4)Save the changes (note that it indicates the user isn't registered for Google Calendars) & go back

Invite user to Google Calendars

5)See the users name

see the username

Normally I'm all for notifying the company of the problem before public disclosures, but the cat is well out of the bag and having a walk around.
It apparently works regardless of whether the user is signed up for Google Calendars.
For me this isn't much of a problem, I'm incredibly easy to track down and my e-mail address has my name in it, but I know for others this could be quite an unwelcome surprise. Lets hope Google fixes this soon.
With that being said if you don't use google calendar you can see if anyone has used this to find out your name because you will get a google calendar invite.
(note: you can click through for a larger version of any of the images)
Update:This works not only on GMail accounts but also on Google App Domain accounts. Perhaps something for universities considering outsourcing their mail to consider.

77 comments:

Anonymous said...

Hole. Not whole.

Anonymous said...

Whether. Not weather.

Anonymous said...

but the cat is. Not but it the cat is

:)

Anonymous said...

Thanks for the public disclosure, a--hole.

Toby said...

You've been /.ed. I'd advise a quick spell/grammer check 'cause the world is watching. Your 15 minutes has begun (prior to the horde crashing your host server).

Anonymous said...

disclosures, not disclosers

Anonymous said...

7 minutes of fame left...

Anonymous said...

This is nice thanks for the hack

-The man
http://www.worldlydecor.com
worldly Decor

Toke said...

The same thing will happen in google maps.

Anonymous said...

you come to me one a summer breeze, keep me warm with your love then you softly leave. then its me you need to show how deep is your love. cause we're living in a world of fools, breaking us down.

d said...

great! For me to poop on!

Anonymous said...

"Great! For me to poop on!"

What does that even mean you worthless piece of crap? Why are you posting on the internet you stupid, stupid child.

Anonymous said...

Hey toby, grammar is spelled with an "a." Don't be so quick to criticize others.

Bohrstein said...

Actually, Grammer/Grammar are the same thing.

Check it in the dictionary.

It's like Color/Colour or Theater/Theatre.

Rob Garth said...

Perhaps we could have some technical comments rather than personal quips.

Thank you for bringing this to the world's attention. I hope Google fix it soon.

Anonymous said...

http://www.thefreedictionary.com/dict.asp?Word=Grammer

gram´mer (grăm´mẽr)
n. 1. Grammar; - a common misspelling.
Webster's Revised Unabridged Dictionary, published 1913 by C. & G. Merriam Co.

Anonymous said...

or jail/gaol

Anonymous said...

fucking blog sucks!

Nick Coblentz, Security PS said...

I would appreciate it if you would have notified Google first and allowed them to close the hole before public disclosure.

After the hole is closed, you can still present screenshots or even a video taken prior to the issue being fixed.

Anonymous said...

PEEEEEEENIIIIIIIIIS SNOOSHAU I SEE!

SnooPING AS usual I see.

PINGAS

dennacematthews said...

Heh heh! Oh, boy! Penis! MENIS FENIS BENIS GENIS DENIS DENNIS DENNACE Yeeeeeeeeahhhhhhhhh MAN-DENIS.

dennacematthews said...

I'd like to say sorry for the previous post. I had meant to post that anonymously, but I forgot to. It was all meant in good nature, I mean, since you've been posted on slashdot. No offense was meant.

Anonymous said...

HAHAHAHA OP HERE DISREGARD THAT I SUCK COCKS

Anonymous said...

Looks like Google employees read slashdot or monitor every Blogger post. At least they haven't disabled your account.

Anonymous said...

I would appreciate it if you would have notified Google first and allowed them to close the hole before public disclosure. ---

I would appreciate it if SHUT THE FUCK UP, GTFO and kill yourself.

Anonymous said...

pwt fkwit! you tried to show how leet you were and got fked on for it. this is a lesson to all tools out there like you - don't blog about exploits, use them.

Anonymous said...

Webster's Revised Unabridged Dictionary, published 1913

...wow, your choice of definition is fresh like a month old carton of milk left in the sun...

btw: I am posting anonymously because I'm assuming my Blogger ID would give the same info away

Do you lyk mudkips? said...

Wow the server is still online? After being /.ed? Amazing! This loophole is pretty neat. Makes me wonder what other companies out there has this type of glitch.

Reid said...

Nick Coblentz, Security PS , your a pompus prick. go and jerk yourself off.

he said it was already disclosed.

Anonymous said...

NEED HELP; PLZ REPLY!!!

I AM TRYNG TO GET A GMAIL EMAIL ACCOUNT!
PLZ SNED INFO! CALENDAR@PENISPILLS.COM

PLZ HLP!!!!!!!!!!!!!!!
THANK YOU!!!!!!!!!!!!!!!

Herr Hitx0r said...

FIRST POST

Anonymous said...

Big PENIS.

Anonymous said...

ROFLMAO

Anonymous said...

Simple minds are easily amused..

I see someone is bent out of shape that the only hack they knew, has now become public.

Lay off the kid, its not like this is grammer class. Its a blog, and your annoying..

Anonymous said...

[b]SCIENTOLOGY IS A DANGEROUS CULT[/b]

Anonymous said...

___ ____ _ _ _ ____ _
/ o \ / __\ / \ / \ / \ / ___\ / \
| __/ | |__ | \ | | | | \ \ | |
| | | ___\ | \| | | | \ \ \_/
| | | |__ | |\ | | | | _\ \ _
\_/ \____\ \_/ \__/ \_/ /____\ \_\

Anonymous said...

I take it none of you read 2600 then <.grin.>

Anonymous said...

Bohrstein, do a quick google next time or use a dictionary yourself:

http://en.wiktionary.org/wiki/grammer

If you can't click on the link here's a quote:

"Common misspelling of grammar"

Anonymous said...

all your names are owned by us

notmynose said...

This may help:

http://how-to-spell-its.com

Anonymous said...

This may help more:
http://www.detroithardcore.com/lensman.jpg

Christo, Spiration said...

Yahoo resolved this one at least a year ago when the started introducing aliases, allowing users to be identified by a 'nice' name, rather than an ugly email address like mikelondon24456.

Anonymous said...

this isn't much of an exploit for people with emails addresses like michael.bolton@gmail.com

Anonymous said...

These comments are hilarious. Half a discussion on typos then the spelling of grammar!

Anonymous said...

http://www.detroithardcore.com/lensman.jpg

so THATS what the gaping hole in gmail looks like...

Anonymous said...

@dennacematthews:

Hahaha! Caught by your own foolishness, and then caught making lame excuses.

Posting anonymously wouldn't have changed anything 'cept for the name above the post, do you realize that? You still choose to trash a place on the internet instead of writing something beautiful. You could better take responsibility for you writing all times even posting anonymously... because you want to do the right thing and make this world a better place, aye?

Also, you cannot blame slashdot for *your* actions...! Just because slashdot links to a page doesnt mean you have to trash it with immature crap like that. What's you're logic anyways? Slashdot is an immature site posting about penises and now i have to do the same? What?

Anonymous said...

OK - I'm on this spelling/gramm*A*r police bandwagon.

Lets / Let's (contraction of "Let us).

Anonymous said...

Facebook also does this, and doesnt even email the person involved.

Go to the site, do a search for an email address. If that finds someone you will get their name and picture if available.

Anonymous said...

Just because is not a valid argument.

;-)

Anonymous said...

dennacematthews... XD self-0wned XDDDD

are you a member of the 'special people club'? sure! XD

Zeidz said...

interesting. I'll have to give it a try and see what comes out of it.

Jessta said...

this is hardly an issue, in fact it's not an issue at all.
The name that comes up is the same name that is sent with every email a person sends from their gmail account.
This is not secret information.

Anonymous said...

I wouldn't worry about it too much. Google has a very good spam gaurd.

Hikari said...

I hope Google solves it soon :)

justinv said...
This comment has been removed by the author.
Anonymous said...

I'd worry about protecting my email address. How do I care if the spam is personalized? I care if it is sent to me. It's not like I'm going to read it and be likely to buy V14Gr4 if they use my name.

Anonymous said...

It's hardly a gaping hole. Did you read the comments on the blog post that you quoted from?

It does *not* show the first and last name of the user; it shows the identifying text that the user has chosen to display next his email address in the "From" line of emails, which happens to be the first and last name for many people, but can be changed to whatever the user wants.

If the user has ever emailed a publicly-archived mailing list, then this information is already out in the public.

The only hole here is that, before, the user only gave out this info when he sent an email and, now, someone else can get the info without the user intentionally sending an email. But this request will cause an email notification to be sent to the user -- so it can't used to secretly get someone's identifier.

So ... what are we worried about?

Federico said...

Yes, Google should leave the email address as is when sending invites. This way they can prevent angry users whinning about small features like these.

But still it was fun to know this, thanks for the post!

Though I'm a little bit sad for most of the comments up there. :(

Anonymous said...

http://www.wsu.edu/~brians/errors/grammer.html

It’s amazing how many people write to thank me for helping them with their “grammer.” It’s “grammar.” The word is often incorrectly used to label patterns of spelling and usage that have nothing to do with the structure of language, the proper subject of grammar in the most conservative sense. Not all bad writing is due to bad grammar.

Hassan said...

anonymous is the best !!!

jaja

Anonymous said...

Get bent, you're all lame.

Anonymous said...

and you're an egg lamer !!

Anonymous said...

It would be great if I could slap each and every individual for their own stupidity on this blogs. postings. I came to this biog. due to the discovery of yet another privacy issue branching from a large service; Gmail. It did not matter to me that the individual bringing the privacy issue to our attention was bad in grammar. In fact, I did not even notice it until I read your lame posts. It is each of you (grammar posts) whom diverted the attention from the privacy issues to one’s grammar. You are truly fools. Limited in Brain Matter - Fools. So here is a slap coming your way.....

Anonymous said...

I remember when facebook opened up, you could sql injection into anybody's account. :) the good ol' days.

Anonymous said...

I remember when facebook opened up, you could sql injection into anybody's account. :) the good ol' days.

Anonymous said...

I remember when facebook opened up, you could sql injection into anybody's account. :) the good ol' days.

Anonymous said...

ping

Holden Karau said...

pong?

James said...

Good find, thanks for the POC.

Anonymous said...

Free shipping overnight.
order viagra
discount viagra
cheap cialis
buy levitra online viagra
low cost viagra

etoplum said...

I am not able to logout of my ymail account as there is no logout button/link on the page

socialmediastations said...

Best news i heard all day

www.nickler.gen.tr said...

You've been /.ed. I'd advise a quick spell/grammer check 'cause the world is watching. Your 15 minutes has begun (prior to the horde crashing your host server).

msn nickleri, avatarlar, clipler, emo nickleri, müzikler, videolar, nickler, güzel sözler, resimler

Anonymous said...

omg. whores, all of you. go die somewhere.... after you kill me slowly and painfully :)

Anonymous said...

wtf what the hell is wronge with you all
this coversation is so going on failblog.com
EPIC WIN

araç sorgulama said...

Pong ?

Anonymous said...

Toby said...
You've been /.ed. I'd advise a quick spell/grammer check 'cause the world is watching. Your 15 minutes has begun (prior to the horde crashing your host server).

It's actually spelled, "GRAMMAR" =)

Free Blog Counter