| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <54C058EE.1090001@riseup.net> Date: Thu, 22 Jan 2015 01:57:02 +0000 From: forgottenpassword <forgottenpassword@...eup.net> To: fulldisclosure@...lists.org Subject: Re: [FD] full name disclosure information leak in google drive -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 You can use the "forgot password" feature on a google account to find out someone's full name. Test it out for yourself: https://www.google.com/accounts/recovery/ Select "I don't know my password" Enter bonsaiviking@...il.com (or another gmail address) On the next screen you will be shown the persons full name and account avatar. In this case "Daniel Miller". kevin mcsheehan: >> When you sign up for a Google account and create a profile > > when they say "create a profile" they're referring to google plus. > the 302 on https://profiles.google.com should be a solid indicator > of that. this vulnerability is capable of targeting non-g+ users, > and that's the point. > > here is an example of google acknowledging that names are personal > information: http://i.imgur.com/VHLfcC2.png > > > Quoting Daniel Miller <bonsaiviking@...il.com>: > >> On Wed, Jan 21, 2015 at 2:26 PM, kevin mcsheehan >> <kevin@...heehan.com> wrote: >> >>> exploit title: full name disclosure information leak in google >>> drive software link: https://drive.google.com/drive/#my-drive >>> author: kevin mcsheehan website: http://mcsheehan.com email: >>> kevin@...heehan.com date: 01/20/15 >>> >>> source: http://mcsheehan.com/?p=15 >>> >>> description: google drive leaks the full name of a target >>> email address when said email address is associated with an >>> uploaded file. the full name is displayed whether or not the >>> target has made that information publicly accessible by >>> creating a google plus account. >>> >> >> I'm pretty sure Google doesn't consider this sort of thing a >> vulnerability. Here's their "it's not a bug" page for it: >> https://sites.google.com/site/bughunteruniversity/nonvuln/discover-your-name-based-on-e-mail-address >> >> >> >> Dan > > > > _______________________________________________ Sent through the > Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & > RSS: http://seclists.org/fulldisclosure/ > -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUwFjlAAoJECvXMxgH8tI50mUP/2dzSpP7uP4cTXLxyAzXEoqu 0ZqxtwOc8TmLuc8+avX6o8YdJn30Cb8RFBsXXKm+N9ogcByBt/6AzX69VrVby8jY l0NSlMjg7j6k6UkyaeTcM96Ezr1Exro0rILw5HIyqgMFN3kz6fR+KPtDtKjpw5ZQ HyhIZjOG80Ic7Qkr0TWNAsSNqEh4XX3YmeQHlSVQIC83m7GtwcsfYHJX4LA8jqMC JPeJXGlNNNjQT6axOKFJQ22mTpJ3yWAqPKfFDk/F0VdMXKo4Ub7bGYo4kUps0WyJ sWgNlZxpjszYmYYOY8wJWcGPEDQI+Xub54w5yr+J+rbhpnRO7PrzLSqwBeFwBXaj OZ84hym1nNEUjbw1HQmc3HV4eVHwPdz7EM0p7/Wj+uw3E7jUJJEhX+NMl3hncSwG FWi8hSwPYOX6W5eNREEaJvLqmxQ8JG8lqs0gb+jYJvGV/RaNccqtfNNw64tGKdGF JS/ya8aiv94ahZ1lpFnD/4NK9OfzheGegL/SCyzYprS08w60Fs+3CP+nIoVfSaln K1uyGUdYYCgqqVqZcLesNF7/cYUY96LwwqYsFKohjxoadDosJ/4latu7k5Shrk3c Lmet5EspvZADOYVLEtZtotoGoZBuQa3gCaUro2Pd1YxDEdkydUj5Bq15SHwUEk0F qhIMz8Y/vde4wQA32hWW =34Sn -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists