
Google Exploit – Steal Account Login Email Addresses - TomAnthony
http://www.tomanthony.co.uk/blog/google-exploit-steal-login-email-addresses/
======
cognivore
Nice work! I use Google+ and I a. Like that you found a hole and reported it,
and b. Google fixed it nice a promptly.

I hope you get the bounty.

~~~
TomAnthony
Yeah - the Google security team are very good in my experience. They are very
fast to respond and to fix problems, and are communicative all the way
through.

Bugs will always come up in systems as large as theirs, and it is nice to
speak to as team so receptive to reports.

~~~
Matt_Cutts
Glad that this was fixed quickly. Thanks for giving the relevant team a chance
to close this hole, Tom, and likewise for the other bug that you alluded to in
your blog post.

------
callesgg
Definitely think it is worth a bounty. For example I have a YouTube
account(therefore a google plus account) that I don't want to share as my
personal email.

This bug was literally the exact reason I did not acctualy want to connect my
YouTube account to google plus. But there was no real choice more like, take
it or leave it.

~~~
TomAnthony
Yeah - there was a lot of backlash around the move to a single account for
everything. It isn't just YouTube either, Picasa and others also set you up in
the same ecosystem.

There are plenty of people who don't want the email address used to log in to
these accounts to be public.

~~~
slashdotaccount
What's wrong with registering a second Google account for Youtube only (and
not using its Gmail part)?

~~~
TomAnthony
Nothing! Lots of people do that, I believe.

The problem is this bug would have let me easily find out your secret YouTube
email address.

------
dalek2point3
Nice work, but I hate how he has to say "Google should let me know next week
whether this qualifies for a bounty; I’ll update this post when they do." \--
He's the one who did Google a favor! For him to have to be in this position
where he's hoping for a bounty, and Google has no incentives to give him one
is kinda a crappy position to be in. We need an intermediary for security
exploits that can negotiate bounties before full information about the exploit
is revealed. Perhaps something already exists?

~~~
TomAnthony
OP here.

I understand the essence of your point and agree with it to some extent, but I
think in this instance I wasn't clear. Google are transparent about their
process and let me know they'd vote on it at their next meeting. I've
clarified the language in my post.

The idea of an intermediary is an interesting one, certainly for smaller
companies. However, for the company to be able to work out the value of the
bug, they'd need to know enough details to 'score' the bug such they could
maybe find it. Either way, you'd end up needing some trust.

However, the idea of a service to manage all that for small companies is a
good idea. It reminds me of the Common Vulnerability Scoring System
([http://www.first.org/cvss](http://www.first.org/cvss)) for scoring such
exploits.

~~~
thetrb
In your case it would have been easy "I have an exploit that let's me get the
e-mail address of every Google+ account". Then they could decide how much
that's worth to them.

But I also don't see how that would play out. If their offer is too low what
would you do then? You can't sell it to someone else as this is most likely
illegal and just keeping it for yourself is also not a great choice.

------
saimey
I'm pretty sure there are people who would've paid to get private access to
this workaround, and so I hope you will in fact get rewarded for the time well
spent.

~~~
TomAnthony
Yes, I think there is a market for things like this, but I'm a Google user so
even putting ethics aside it wouldn't be a great long-term move!

On the flip side, without the bounty programs a lot of people wouldn't be as
motivated to dig around to find such bugs.

------
eric_khun
Clean and professional for the 2 sides. I like it!

------
k3oni
Good job and thanks for reporting it. I can see this qualifying for a bounty
and hope you'll get it.

