
Ask HN: Vulnerability that reveals Google user identity - ChicagoBoy11
Hi everyone,<p>I remember reading here (I believe) an article which someone wrote detailing how Google API endpoints could leak if a particular account was logged in or not. To make things even worse, the researcher mentioned that the endpoint did not seem to be rate limited, allowing you to go through an extensive list of address to pinpoint if a specific user was accessing your site.<p>I&#x27;m a teacher doing a privacy lesson and wanted to discuss this with my students, but for the life of me cannot find the article in question. If anyone remembers it, I&#x27;d love to be pointed to it again!
======
VuWall-Matt
Took a little while, but I think this is what you are looking for:
[https://blog.0day.rocks/abusing-gmail-to-get-previously-
unli...](https://blog.0day.rocks/abusing-gmail-to-get-previously-unlisted-e-
mail-addresses-41544b62b2)

~~~
ChicagoBoy11
Thanks so much -- not quite what I was looking for, though. A buddy at work
finally came through, though:
[https://www.google.com/url?q=http://www.tomanthony.co.uk/blo...](https://www.google.com/url?q=http://www.tomanthony.co.uk/blog/confirm-
google-users-email/)

