lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150121212621.Horde.mUGP87jxKtTeahb8XNVl9Q1@mcsheehan.com> Date: Wed, 21 Jan 2015 21:26:21 +0000 From: kevin mcsheehan <kevin@...heehan.com> To: Daniel Miller <bonsaiviking@...il.com> Cc: fulldisclosure@...lists.org Subject: Re: [FD] full name disclosure information leak in google drive > When you sign up for a Google account and create a profile when they say "create a profile" they're referring to google plus. the 302 on https://profiles.google.com should be a solid indicator of that. this vulnerability is capable of targeting non-g+ users, and that's the point. here is an example of google acknowledging that names are personal information: http://i.imgur.com/VHLfcC2.png Quoting Daniel Miller <bonsaiviking@...il.com>: > On Wed, Jan 21, 2015 at 2:26 PM, kevin mcsheehan <kevin@...heehan.com> > wrote: > >> exploit title: full name disclosure information leak in google drive >> software link: https://drive.google.com/drive/#my-drive >> author: kevin mcsheehan >> website: http://mcsheehan.com >> email: kevin@...heehan.com >> date: 01/20/15 >> >> source: http://mcsheehan.com/?p=15 >> >> description: google drive leaks the full name of a target email address >> when said email address is associated with an uploaded file. the full name >> is displayed whether or not the target has made that information publicly >> accessible by creating a google plus account. >> > > I'm pretty sure Google doesn't consider this sort of thing a vulnerability. > Here's their "it's not a bug" page for it: > https://sites.google.com/site/bughunteruniversity/nonvuln/discover-your-name-based-on-e-mail-address > > Dan _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists