I actually reported a similar problem to Google that would allow you to do the same thing back in 2013 (and like you, I used the load and onerror methods for detection). I didn't get a reward either :/.
However, Facebook paid me $1,000 for finding this problem for a particular area of their website (http://patorjk.com/blog/2013/03/01/facebook-user-identificat...). So I wouldn't write off this kind of security issue. It seems to depend on who's giving out the bounty.
I recommend using Tor now. But most people won't.
Not to get too pedantic, but Tor is a protocol, not a browser - if you use your regular web browser over Tor, you’re still logged in.
On further thought, if you have only ever used a packaged ‘Tor browser’ that is both a browser and implements the Tor protocol, then I can see where you’d phrase it that way.
Reddit user 'unsafeword' has suggested (https://www.reddit.com/r/netsec/comments/6smdq0/how_to_confi...) that for organisations like schools/universities could use this for identifying their own users, as the list isn't that large.
I wish browsers found an easy, secure way to bake this into the product. I'd much rather a confirmation modal than having to go to your email and click a link.
Reddit could use it to figure out whether various celebrities were redditors and track what they look at. Even if they never log in! And if they did log in, reddit could find out what their username was.
And that's just what I was able to think up in 30 seconds.
As for the Reddit option, Reddit would already know if the celebrities were redditors because they'd have to know their email address in advance anyways for this trick to work. No celebrity is going to risk setting up a Reddit account without an email address so Reddit already has that info. On top of that, what's reddit going to do with a celebrity's email address and username? It's already required for verification on anything important a celebrity would use it for (like an AMA or promos).
Val Kilmer is a redditor. What exactly would I gain from knowing if Val Kilmer is logged in to his Google account?
No, it would be instantaneous. If you have a specific email address in mind, you test it, and immediately get "yes, it's them" / "no, it's not them" in milliseconds.
> No celebrity is going to risk setting up a Reddit account without an email address
Huh? You don't think famous people have pseudonymous Internet accounts?
> Val Kilmer is a redditor. What exactly would I gain from knowing if Val Kilmer is logged in to his Google account?
"Val Kilmer's secret reddit username is i_love_horse_porn"
Again...you'd already have to know the email address and what benefit does it give you to know that this specific person is logged in? You'd have to somehow get that specific person to visit your page in the first place.
>pseudonymous Internet accounts
I know they do. I just don't see what that gets me if I already know their email address.
The only people that would be able to gather this information from this exploit are Reddit admins and they'd already have that information from the email address. Even still... what would they even do with that information?
You can link users (that you target) to specific websites (that you indirectly control, even through something like a malicious ad).
> The only people that would be able to gather this information from this exploit are Reddit admins and they'd already have that information from the email address. Even still... what would they even do with that information?
No! I (as a non admin) could create a website that uses this exploit right now and link targets (like reddit admins of which I know the gmail) to my website. Post the website to reddit, and voila. Once they visit the site I know they did.
They most likely use another email address for their anonymous internet account but even if they do, they're likely to be logged in in their main google account at the same time (since you can be logged in in multiple email accounts).
So, in this case, reddit (or whatever popular website) admins would be able to gather more information than what they should be able to get. It's a loss of privacy for the person concerned..
Beside this, it could be used for phishing to make sure only your target is the one getting the phishing page.
Or, you could combine it with geoip to get the zip code of the person logging in, a lookup of the different names of people living in that zip code (through the yellow pages or equivalent) and just check all of the first name last name combinations @gmail.com. At the speed of 1000 possible email addresses every 25 seconds, you could probably guess the email of quite a few visitors I think.
No way! Do you know how many Google accounts are out there? As I mentioned before, the person would have to, at the rate given, stay on the site for 2 hours to even have a statistical chance of being guessed unless you knew exactly who the target was.
Overall, this issue seems to only concern a specific individual that's being targeted by another specific entity. It doesn't seem useful or workable at all if you're guessing against a set of known emails.
Doesn't matter, I don't care about them. I just care if the person reading right now has initials SB, SM or KAC and might be in a position to say "Sir, have you seen this article?" (note: I have no idea who in the Trump administration might be using non-archived private email or whether rhesus nut or them are actually using Gmail, initials were chosen for names I know are still in their positions at the time I'm writing this)
$ dig -t mx ycombinator.com
ycombinator.com. 300 IN MX 10 aspmx.l.google.com.
Useful as a spearphishing tool for getting to specific people? Absolutely.
What do you figure as the likelihood that there are people in positions of power or influence right now who are using pseudonymous email addresses from third party providers? I'd peg it at near 100%,though I'm not in a position to identify specific ones.
Security rule of thumb: when you ask this question, you've lost.
Look around the comment section for examples.
To put it crudely: you may lack creativity, but your attackers don't. It's impossible to enumerate all possible applications of an attack vector. Be strict.
and you are even better off. imo.
This way, the image tag will always fire the onError
The scope of the issue is limited, but the fix also does not seem that hard. However, I appreciate it is easy to throw out such an idea, and the reality of implementing it is probably a bit harder. :)
Surely they would make an offer of how much they would like to pay the OP before they expect the OP to work for them?
Option 1 seems like it would take impossibly long to match, and I'm not sure what actionable information you get from option 2, other then maybe verifying that the email address is still active?
However, the way I would use it is any scenario where I want to either find out more information about a certain list of people, or where I want to alter the content I show to specfic people.
It is a pretty specific attack vector, but a verifiable identification could be high impact in those few cases, and it would also be trivial to fix it.
This is really neither here nor there, but your email input field isn't escaped, so JS can be injected into the email field e.g. <script>alert('Hi Tom!')</script>.
I enjoy the irony of a security-minded page having this issue, even though there's no good reason for you to bother escaping the field :)
url: "/google_leak/save.php?info=manual_hit:" + email
update: gone now. still pings that it ran. don't forget to hit ctrl-shift-r to bypass your cache.