Full Disclosure mailing list archives
Re: full name disclosure information leak in google drive
From: forgottenpassword <forgottenpassword () riseup net>
Date: Thu, 22 Jan 2015 01:57:02 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 You can use the "forgot password" feature on a google account to find out someone's full name. Test it out for yourself: https://www.google.com/accounts/recovery/ Select "I don't know my password" Enter bonsaiviking () gmail com (or another gmail address) On the next screen you will be shown the persons full name and account avatar. In this case "Daniel Miller". kevin mcsheehan:
When you sign up for a Google account and create a profilewhen they say "create a profile" they're referring to google plus. the 302 on https://profiles.google.com should be a solid indicator of that. this vulnerability is capable of targeting non-g+ users, and that's the point. here is an example of google acknowledging that names are personal information: http://i.imgur.com/VHLfcC2.png Quoting Daniel Miller <bonsaiviking () gmail com>:On Wed, Jan 21, 2015 at 2:26 PM, kevin mcsheehan <kevin () mcsheehan com> wrote:exploit title: full name disclosure information leak in google drive software link: https://drive.google.com/drive/#my-drive author: kevin mcsheehan website: http://mcsheehan.com email: kevin () mcsheehan com date: 01/20/15 source: http://mcsheehan.com/?p=15 description: google drive leaks the full name of a target email address when said email address is associated with an uploaded file. the full name is displayed whether or not the target has made that information publicly accessible by creating a google plus account.I'm pretty sure Google doesn't consider this sort of thing a vulnerability. Here's their "it's not a bug" page for it:
https://sites.google.com/site/bughunteruniversity/nonvuln/discover-your-name-based-on-e-mail-address
Dan
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
-----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUwFjlAAoJECvXMxgH8tI50mUP/2dzSpP7uP4cTXLxyAzXEoqu 0ZqxtwOc8TmLuc8+avX6o8YdJn30Cb8RFBsXXKm+N9ogcByBt/6AzX69VrVby8jY l0NSlMjg7j6k6UkyaeTcM96Ezr1Exro0rILw5HIyqgMFN3kz6fR+KPtDtKjpw5ZQ HyhIZjOG80Ic7Qkr0TWNAsSNqEh4XX3YmeQHlSVQIC83m7GtwcsfYHJX4LA8jqMC JPeJXGlNNNjQT6axOKFJQ22mTpJ3yWAqPKfFDk/F0VdMXKo4Ub7bGYo4kUps0WyJ sWgNlZxpjszYmYYOY8wJWcGPEDQI+Xub54w5yr+J+rbhpnRO7PrzLSqwBeFwBXaj OZ84hym1nNEUjbw1HQmc3HV4eVHwPdz7EM0p7/Wj+uw3E7jUJJEhX+NMl3hncSwG FWi8hSwPYOX6W5eNREEaJvLqmxQ8JG8lqs0gb+jYJvGV/RaNccqtfNNw64tGKdGF JS/ya8aiv94ahZ1lpFnD/4NK9OfzheGegL/SCyzYprS08w60Fs+3CP+nIoVfSaln K1uyGUdYYCgqqVqZcLesNF7/cYUY96LwwqYsFKohjxoadDosJ/4latu7k5Shrk3c Lmet5EspvZADOYVLEtZtotoGoZBuQa3gCaUro2Pd1YxDEdkydUj5Bq15SHwUEk0F qhIMz8Y/vde4wQA32hWW =34Sn -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- full name disclosure information leak in google drive kevin mcsheehan (Jan 21)
- Re: full name disclosure information leak in google drive Daniel Miller (Jan 21)
- Re: full name disclosure information leak in google drive kevin mcsheehan (Jan 21)
- Re: full name disclosure information leak in google drive forgottenpassword (Jan 22)
- Re: full name disclosure information leak in google drive kevin mcsheehan (Jan 21)
- Re: full name disclosure information leak in google drive Daniel Miller (Jan 21)