Google: we will share your name with anyone who asks us for it
Here’s what happens when you try to bury a security vulnerability by fixing it silently and not telling anyone: all other similar vulnerabilities remain unfixed.
When I started a challenge yesterday to find a different way to find the full name behind a user’s gmail address I had a specific method in mind – a weakness in google docs that shows the full name of a person when you share a document (description and screen shots below). But it appears this problem is more widespread – it affects google maps, and perhaps other apps as well (there seems to be a difference between various localized versions of the google applications, so YMMV). Andre claims that he’d known about this for 2.5 years ago, and I wonder who else have known (spammers using this method to personalize the mails sent to gmail addresses?). All of this could have been prevented if google came out with a simple advisory explaining the problem and their stand on it. If they really wanted to fix it (and not just silence the press about the previous problem) people would have notified them about the other problems so that they can address them. Instead, they sent a PR drone to deny this is really a problem, while a programmer patched it without giving thought to the other google applications.
I’d be happy to hear from anyone on google’s security or development team – I promise to post their response verbatim and I’m curious to hear what they have to say. Notice, however, that I couldn’t care less about their PR response. If your position in google is marketing, don’t bother replying – this is a security issue and not a marketing issue – it’s time google addresses it for what it is.
And for those who were patient enough to go through my rant, here’s a step-by-step explanation provided by Vincent Claeys on how to reveal the real name behind the gmail address. Kudos to Naftali Shpitzer, Vincent Claeys and Andre Gironda for finding the way (and other ways I haven’t thought of…) to solve the problem.
1. Log in to your gmail account
2. Click documents on the left top
3. Create a presentation, save it, close it
4. In the list with presentations, select the presentation you just made
5. Click the “share” button
6. Type in the e-mail address of which you want to find out the real name
7. Click “invite” (I always use “as viewers”, but “as collaborators”
will work as well I guess)
8. Click “skip sending invitation”
9. Click “ok” in the warning window
10. Click on the presentation to open it (a new window will open)
11. Click on the “share” tab on the right top corner
12. Read the real name of the person you invited
13. Remove the invited person from the list again so he doesn’t notice
anything when he logs into his gmail account