lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 21 Jan 2015 21:26:21 +0000
From: kevin mcsheehan <kevin@...heehan.com>
To: Daniel Miller <bonsaiviking@...il.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] full name disclosure information leak in google drive

> When you sign up for a Google account and create a profile

when they say "create a profile" they're referring to google plus. the  
302 on https://profiles.google.com should be a solid indicator of  
that. this vulnerability is capable of targeting non-g+ users, and  
that's the point.

here is an example of google acknowledging that names are personal  
information: http://i.imgur.com/VHLfcC2.png


Quoting Daniel Miller <bonsaiviking@...il.com>:

> On Wed, Jan 21, 2015 at 2:26 PM, kevin mcsheehan <kevin@...heehan.com>
> wrote:
>
>> exploit title: full name disclosure information leak in google drive
>> software link: https://drive.google.com/drive/#my-drive
>> author: kevin mcsheehan
>> website: http://mcsheehan.com
>> email: kevin@...heehan.com
>> date: 01/20/15
>>
>> source: http://mcsheehan.com/?p=15
>>
>> description: google drive leaks the full name of a target email address
>> when said email address is associated with an uploaded file. the full name
>> is displayed whether or not the target has made that information publicly
>> accessible by creating a google plus account.
>>
>
> I'm pretty sure Google doesn't consider this sort of thing a vulnerability.
> Here's their "it's not a bug" page for it:
> https://sites.google.com/site/bughunteruniversity/nonvuln/discover-your-name-based-on-e-mail-address
>
> Dan



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ