How to find the real name behind the gmail address, round 2

As you can see from the comments in my previous post, google has fixed the google calendar problem that allowed gmail users to see other users’ full names. Obviously, many people are disappointed – that’s the downside of web services: once a vulnerability is fixed, it’s fixed for everyone, immediately :-)

But Yair, SEO expert by day and curious individual by night, told me about a different way to do the attack. This attack works on both gmail and google app users, and is completely stealth – unlike the google calendar attack that notifies the victim, this one can be conducted without them knowing.

So what should I do with this information? Contacting the google security team is like typing Shakespeare into /dev/null, as anyone who ever tried to report a security vulnerability to google probably knows – it’s amazing to see the difference between the hostile google security team and the Microsoft security team who is trying hard (sometimes a little too hard) to be researcher friendly. So contacting google security is pretty much not an option.

The other ‘default’ option is to go full disclosure. But in this case, disclosing a bug in google will result in them claiming the bug is actually a feature, and then fixing it silently without any acknowledgment while chanting softly: “There was no bug. These aren’t the droids you’re looking for. Move along”. None of you will get a chance to test it, because by the time you do the problem would be fixed and we have never been at war with Eurasia.

So how do I give the smart readers a chance to try it out without alerting the world media? Simple: I will give you a chance to try it out before I disclose it. A smart and energetic researcher should be able to find this bug based on the hints in this page. You might even find holes different then what Yair did. This should be fun…

To give the proper incentive, if you find the hole, try to get the full name of the gmail email metalolcats@gmail.com. Use the full name as a coupon code to get a free account on our vulnerability scanning service to scan your server from the Internet on an ongoing basis. Just sign up here and use the real name of the gmail user above as the coupon code.  If you don’t have a server to scan for vulnerabilities or don’t feel like signing up, send me the answer to aviram at beyondsecurity.com and I will mention you on this page. But be quick, the google QA team may find it before you. When enough people find it, or google fixes it, I’ll publish the way along with some screenshots. That is, if the truth ministry doesn’t get to me first.

Oh, and the question you are all dying to ask – admin@gmail.com is no longer ‘smart ass’. It’s now just boring old “Admin”, but then again it always has been.

Share
  • Kolor

    “There was no bug. These aren’t the droids you’re looking for. Move along”

    You’re my hero! :)

  • http://www.tssci-security.com Andre Gironda

    GReader still shows GMail user “real names”, under “Sharing Settings”. I noticed the GCal one long ago (2.5 years ago?)… GReader has been doing this for almost a year now, as well.

    There’s all sorts of weird scenarios you can get GMail/GTalk/GDocs into. What scares me is that OSS and OSRF (onsite-scripting and onsite request-forgery) are certainly possible. If you look at some of the unicode flaws that Chris Weber has discovered, most of these work fine throughout Google’s web applications. Worse, the HTML/CSS injections that Arshan Dabirsiaghi has discussed are also very possible (this may or may not be related to Jeremiah Grossman’s and RSnake’s Clickjacking).