A security researcher stumbled upon a vulnerability while poking around Google services using which any user can find out the personal email address of the victim even if they have not shared it publicly.
Tom Anthony, a digital marketing consultant at Distilled, a SEO specialist and now a security researcher found a vulnerability through which he was able to find anyone’s email address on Google+ even if the victim had decided against sharing it publicly. The vulnerability is present in the manner in which Google handles a certain URL – specifically speaking the URL for Google+ Dashboard.
Just before Google rolled out pretty URL for Google+, each of the user had their dashboard accessible through the below URL [I have replaced actual numbers with X for privacy reasons].
https://www.google.com/settings/dashboard?uq=10XXXXX323XXX22XXXXX2
The important bit is the string of numbers (10XXXXX323XXX22XXXXX2), which is the ID of the user on Google+. This ID is very much public considering how many times it is visible on the source code of someone’s profile. When I checked, I found it over 250 times in my profile.
Anthony notes that he logged into his Google+ profile and tried to access the above URL by pasting it in the address bar of the browser directly. Google didn’t serve any error, but rather “302 redirected to accounts.google.com to the ‘add session’ login rather than the primary login page.”
The URL in the browser now looked like this
https://accounts.google.com/AddSession?continue=https://www.google.com/settings/dashboard#Email=REDACTED_EMAIL_ADDRESS.
The URL gave away the email address corresponding to the Google+ ID. Anthony reported the issue to Google under its bug bounty program. The vulnerability has been patched, and Anthony is awaiting news on whether he has qualified for the bounty or not!
