Re: full name disclosure information leak in google drive

[forgottenpassword <forgottenpassword () riseup net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

You can use the "forgot password" feature on a google account to find
out someone's full name.

Test it out for yourself:

https://www.google.com/accounts/recovery/
Select "I don't know my password"
Enter bonsaiviking () gmail com (or another gmail address)

On the next screen you will be shown the persons full name and account
avatar. In this case "Daniel Miller".


kevin mcsheehan:
> > When you sign up for a Google account and create a profile
>
> when they say "create a profile" they're referring to google plus. 
> the 302 on https://profiles.google.com should be a solid indicator 
> of that. this vulnerability is capable of targeting non-g+ users, 
> and that's the point.
>
> here is an example of google acknowledging that names are personal 
> information: http://i.imgur.com/VHLfcC2.png
>
>
> Quoting Daniel Miller <bonsaiviking () gmail com>:
>
> > On Wed, Jan 21, 2015 at 2:26 PM, kevin mcsheehan 
> > <kevin () mcsheehan com> wrote:
> >
> > > exploit title: full name disclosure information leak in google 
> > > drive software link: https://drive.google.com/drive/#my-drive 
> > > author: kevin mcsheehan website: http://mcsheehan.com email: 
> > > kevin () mcsheehan com date: 01/20/15
> > >
> > > source: http://mcsheehan.com/?p=15
> > >
> > > description: google drive leaks the full name of a target
> > > email address when said email address is associated with an
> > > uploaded file. the full name is displayed whether or not the
> > > target has made that information publicly accessible by
> > > creating a google plus account.
> >
> > I'm pretty sure Google doesn't consider this sort of thing a 
> > vulnerability. Here's their "it's not a bug" page for it:
https://sites.google.com/site/bughunteruniversity/nonvuln/discover-your-name-based-on-e-mail-address
> >
Dan
> _______________________________________________ Sent through the 
> Full Disclosure mailing list 
> https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & 
> RSS: http://seclists.org/fulldisclosure/

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUwFjlAAoJECvXMxgH8tI50mUP/2dzSpP7uP4cTXLxyAzXEoqu
0ZqxtwOc8TmLuc8+avX6o8YdJn30Cb8RFBsXXKm+N9ogcByBt/6AzX69VrVby8jY
l0NSlMjg7j6k6UkyaeTcM96Ezr1Exro0rILw5HIyqgMFN3kz6fR+KPtDtKjpw5ZQ
HyhIZjOG80Ic7Qkr0TWNAsSNqEh4XX3YmeQHlSVQIC83m7GtwcsfYHJX4LA8jqMC
JPeJXGlNNNjQT6axOKFJQ22mTpJ3yWAqPKfFDk/F0VdMXKo4Ub7bGYo4kUps0WyJ
sWgNlZxpjszYmYYOY8wJWcGPEDQI+Xub54w5yr+J+rbhpnRO7PrzLSqwBeFwBXaj
OZ84hym1nNEUjbw1HQmc3HV4eVHwPdz7EM0p7/Wj+uw3E7jUJJEhX+NMl3hncSwG
FWi8hSwPYOX6W5eNREEaJvLqmxQ8JG8lqs0gb+jYJvGV/RaNccqtfNNw64tGKdGF
JS/ya8aiv94ahZ1lpFnD/4NK9OfzheGegL/SCyzYprS08w60Fs+3CP+nIoVfSaln
K1uyGUdYYCgqqVqZcLesNF7/cYUY96LwwqYsFKohjxoadDosJ/4latu7k5Shrk3c
Lmet5EspvZADOYVLEtZtotoGoZBuQa3gCaUro2Pd1YxDEdkydUj5Bq15SHwUEk0F
qhIMz8Y/vde4wQA32hWW
=34Sn
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/