Hacker News new | comments | show | ask | jobs | submit login
How to confirm a Google user’s specific email address (tomanthony.co.uk)
227 points by TomAnthony on Aug 9, 2017 | hide | past | web | favorite | 68 comments



> which allows an attacker to confirm whether a visitor to a web page is logged in to any one of a list of specific Google accounts

I actually reported a similar problem to Google that would allow you to do the same thing back in 2013 (and like you, I used the load and onerror methods for detection). I didn't get a reward either :/.

However, Facebook paid me $1,000 for finding this problem for a particular area of their website (http://patorjk.com/blog/2013/03/01/facebook-user-identificat...). So I wouldn't write off this kind of security issue. It seems to depend on who's giving out the bounty.


Nice catch! Interesting that they considered it a bug. I thought mine would qualify, but appreciate it is a pretty specific issue.


Given that I regularly see my Facebook account name and photo on third party websites, without giving them any permission to see those, I find it hard to believe that Facebook cares about this…


I agree with theGimp. From my experience they do seem to care about this. I actually still carry the debt card they sent me in my wallet (http://imgur.com/TuVKm5k). Facebook also seems to be the most generous in terms of giving out a reward. I ended up submitting a few more issues after this and always got something reasonable (usually 1k to 1.5k).


It's probably in a Facebook iframe, which is a different story.


This is an issue for those of us who do anonymous peer review of publications that include references to the authors' web sites. It's bad enough that people have tried to identify me just by location in their logs.

I recommend using Tor now. But most people won't.


We did a a paper last year on a scientific web app; we specifically told reviewers up front that if they visited the actual page, they would show up in the logs, and gave them code+instructions for running it on localhost if they cared about that. I don't think most people are even aware; referees are domain experts, not web devs.


Tor won't help if you are logged into Google. The best solution here against that problem is incognito mode plus a VPN.


I only use Tor for anonymous reviewing purposes so I don't log into Google with it. But that's a good point.


> I only use Tor for anonymous reviewing purposes so I don't log into Google with it

Not to get too pedantic, but Tor is a protocol, not a browser - if you use your regular web browser over Tor, you’re still logged in.

On further thought, if you have only ever used a packaged ‘Tor browser’ that is both a browser and implements the Tor protocol, then I can see where you’d phrase it that way.


Wouldn't incognito mode block this particular attack?


Possibly, depending on how you use it. You can be logged in to Gmail while in incognito though (I sometimes use an incognito window to log in to a personal gmail account while I've got a work account open in a non-incognito window...)


That is an interesting use case. I think there are probably many similar ones.


Worth noting that this also works with GSuite email addresses.

Reddit user 'unsafeword' has suggested (https://www.reddit.com/r/netsec/comments/6smdq0/how_to_confi...) that for organisations like schools/universities could use this for identifying their own users, as the list isn't that large.


This seems like a handy way to confirm email addresses when a user signs up to your service. If it returns false, send a regular "confirm your email" email.


Firefox's BrowserID/Persona used to do something similar. If you were logged into an email account (which supported it) and you signed up for a site (which supported it), it would auto-confirm your email. I never saw it in the wild, but the demo was awesome.

I wish browsers found an easy, secure way to bake this into the product. I'd much rather a confirmation modal than having to go to your email and click a link.


Not a great idea since it would require trusting the client unless I'm missing something.


It depends on why you're checking emails. If it's just for password recovery, for example, then it's the user's loss if they intentionally use an invalid email.


This check only works client-side, so you can't trust it to protect against spammers.


Is this really even a big issue? For one, you have to already have knowledge of the email address in advance. Then you have to somehow get this user to go to a page that you have control over. Then you have to get them to wait around on your page while you run through 1000 possible email addresses every 25 seconds. Unless this got onto a really, really compelling page, I don't think anyone is going to sit around waiting for a page like this to do its business. The chances of getting a successful match are so low that I can understand why it's not a priority to fix this.


I could use this to make a website where, when an HN admin looked at it, it looked great, but when anyone else did, it was full of ads, redirected to malware, or whatever.

Reddit could use it to figure out whether various celebrities were redditors and track what they look at. Even if they never log in! And if they did log in, reddit could find out what their username was.

And that's just what I was able to think up in 30 seconds.


With your first example, you could do that but it wouldn't be realistic to do that. Like I said, you'd have to know the admin's logged in Google email address already and then they'd have to sit on that page for over 2 hours before you even hit a statistical probability of a match. It would really only work if you were trying to target one specific person. If you were fishing for users from a leak of users or something, this would literally do nothing.

As for the Reddit option, Reddit would already know if the celebrities were redditors because they'd have to know their email address in advance anyways for this trick to work. No celebrity is going to risk setting up a Reddit account without an email address so Reddit already has that info. On top of that, what's reddit going to do with a celebrity's email address and username? It's already required for verification on anything important a celebrity would use it for (like an AMA or promos).

Val Kilmer is a redditor. What exactly would I gain from knowing if Val Kilmer is logged in to his Google account?


> they'd have to sit on that page for over 2 hours before you even hit a statistical probability of a match.

No, it would be instantaneous. If you have a specific email address in mind, you test it, and immediately get "yes, it's them" / "no, it's not them" in milliseconds.

> No celebrity is going to risk setting up a Reddit account without an email address

Huh? You don't think famous people have pseudonymous Internet accounts?

> Val Kilmer is a redditor. What exactly would I gain from knowing if Val Kilmer is logged in to his Google account?

"Val Kilmer's secret reddit username is i_love_horse_porn"


>No, it would be instantaneous. If you have a specific email address in mind, you test it, and immediately get "yes, it's them" / "no, it's not them" in milliseconds.

Again...you'd already have to know the email address and what benefit does it give you to know that this specific person is logged in? You'd have to somehow get that specific person to visit your page in the first place.

>pseudonymous Internet accounts

I know they do. I just don't see what that gets me if I already know their email address.

>i_love_horse_porn

The only people that would be able to gather this information from this exploit are Reddit admins and they'd already have that information from the email address. Even still... what would they even do with that information?


> Again...you'd already have to know the email address and what benefit does it give you to know that this specific person is logged in?

You can link users (that you target) to specific websites (that you indirectly control, even through something like a malicious ad).

> The only people that would be able to gather this information from this exploit are Reddit admins and they'd already have that information from the email address. Even still... what would they even do with that information?

No! I (as a non admin) could create a website that uses this exploit right now and link targets (like reddit admins of which I know the gmail) to my website. Post the website to reddit, and voila. Once they visit the site I know they did.


And again, I ask... What information or benefit does that give you that you didn't know before? This only works on specific people and targets that you've had to identify before using this. I have yet to hear of a specific example of this being used for nefarious purposes outside of confirming that someone visited a page and there are hundreds of ways to do that without needing to invoke this workaround.


Could you give me any other example of an exploit that allows an attacker to tell that a specific gmail user is on a website?


> I know they do. I just don't see what that gets me if I already know their email address.

They most likely use another email address for their anonymous internet account but even if they do, they're likely to be logged in in their main google account at the same time (since you can be logged in in multiple email accounts).

So, in this case, reddit (or whatever popular website) admins would be able to gather more information than what they should be able to get. It's a loss of privacy for the person concerned..

Beside this, it could be used for phishing to make sure only your target is the one getting the phishing page.

Or, you could combine it with geoip to get the zip code of the person logging in, a lookup of the different names of people living in that zip code (through the yellow pages or equivalent) and just check all of the first name last name combinations @gmail.com. At the speed of 1000 possible email addresses every 25 seconds, you could probably guess the email of quite a few visitors I think.


>At the speed of 1000 possible email addresses every 25 seconds, you could probably guess the email of quite a few visitors I think.

No way! Do you know how many Google accounts are out there? As I mentioned before, the person would have to, at the rate given, stay on the site for 2 hours to even have a statistical chance of being guessed unless you knew exactly who the target was.

Overall, this issue seems to only concern a specific individual that's being targeted by another specific entity. It doesn't seem useful or workable at all if you're guessing against a set of known emails.


> No way! Do you know how many Google accounts are out there?

Doesn't matter, I don't care about them. I just care if the person reading right now has initials SB, SM or KAC and might be in a position to say "Sir, have you seen this article?" (note: I have no idea who in the Trump administration might be using non-archived private email or whether rhesus nut or them are actually using Gmail, initials were chosen for names I know are still in their positions at the time I'm writing this)


wouldn't you have to know the target's email in advance in both of those examples? And not just their email address, but the email address of the Google account they stay logged in to while browsing. If you know a celebrity's email address, you can probably do more than just show them targeted content on your website.


    $ dig -t mx ycombinator.com
    [...]
    ycombinator.com.	300	IN	MX	10 aspmx.l.google.com.
Looks like ycombinator.com is a Google enterprise domain. Three guesses what pg's email address probably is.


Useful as a general tool for identifying visitors? No.

Useful as a spearphishing tool for getting to specific people? Absolutely.

What do you figure as the likelihood that there are people in positions of power or influence right now who are using pseudonymous email addresses from third party providers? I'd peg it at near 100%,though I'm not in a position to identify specific ones.


>Is [non consensual user-information leaking] really even a big issue?

Yes


> Is this really even a big issue?

Security rule of thumb: when you ask this question, you've lost.

Look around the comment section for examples.

To put it crudely: you may lack creativity, but your attackers don't. It's impossible to enumerate all possible applications of an attack vector. Be strict.


Only works if you target specific user with known email address. Other than that I dont see any possible use.


That still sounds scary enough to me.


Yet another reason I'm glad I use uBlock Origin set to block all 3rd party requests. To get the demo to work, I had to disable uBlock.


Even better to use Umatrix for browsing i think. You can enable several or all elements on a site and so on. Use it with a hosts file like the one from:

someonewhocares.org

and you are even better off. imo.


Google can probably prevent the information leak via image tags by not using a 302 redirect and instead using a 200 response and a combination of <meta refresh> and JS document.location.

This way, the image tag will always fire the onError


My suggestion was simply that they add a has to go with the email parameter (since they generated the URL), such that you can't just check against an email (and you can't generate the hash).

The scope of the issue is limited, but the fix also does not seem that hard. However, I appreciate it is easy to throw out such an idea, and the reality of implementing it is probably a bit harder. :)


not that hard to replace the image with a function that does an ajax call and checks response code.


You can't read the response of cross-origin ajax requests unless the response specifically allows it (with CORS).


> 18th July – The team came back to me and asked me what my suggestions for handling this would be.

Surely they would make an offer of how much they would like to pay the OP before they expect the OP to work for them?



Yeah, I was fiddling with the caching. Should be back now! Thanks! :)


I'm trying to understand the implications here. Is the author suggesting that real world attack would involve randomly generating email addresses to see if they are valid or not based on whether they might match the current user. Or would the attack involve purchasing a list known email addresses from spammers, and then doing lookup against that list for every visitor that comes to your website?

Option 1 seems like it would take impossibly long to match, and I'm not sure what actionable information you get from option 2, other then maybe verifying that the email address is still active?


I didn't necessarily have a specific attack in mind when I looked for the issue.

However, the way I would use it is any scenario where I want to either find out more information about a certain list of people, or where I want to alter the content I show to specfic people.

It is a pretty specific attack vector, but a verifiable identification could be high impact in those few cases, and it would also be trivial to fix it.


What about if I sent a proposal with my website to a bunch of investors that I know, and I want to see which ones clicked on it.


You could also just use unique URLs (tracking, etc.).


This is neat, worked for me (I'm signed in to two Google accounts, both were detected).

This is really neither here nor there, but your email input field isn't escaped, so JS can be injected into the email field e.g. <script>alert('Hi Tom!')</script>.

I enjoy the irony of a security-minded page having this issue, even though there's no good reason for you to bother escaping the field :)


Off-topic, but shout out to Tom (author of the article) and Duncan @Distilled for being great guys. I interviewed with them for a developer position few years back, and while I usually forget the interviewers these two were extremely nice. I didn't get the job, but they left a great impression. If they're hiring in the RD department at Distilled make sure to apply!


Those issues make https://wiki.mozilla.org/Security/Contextual_Identity_Projec... essential. I hope Mozilla will continue to improve the feature.


    ||accounts.google.com^$image,third-party
    ||google.com/accounts/*$image,third-party
For those that want to prevent the attack with ublocko, without filtering all 3rd party requests


Won't disabling third party cookies avoid this sort of issues?


you cannot if you are using privacy badger.


Note that the demo sends your email address to the server if it's a hit.

$.ajax({ url: "/google_leak/save.php?info=manual_hit:" + email });

update: gone now. still pings that it ran. don't forget to hit ctrl-shift-r to bypass your cache.


Sorry - that was for debugging purposes and I forgot to remove it. I've removed that and purged the log.


Ok, since it's removed, we'll turn off the flags above.


Thank you - I had assumed malice, glad I was proven wrong.


Still there for me..


I assume it was cached for you. I did purge the CloudFlare cache when I made the change, and only 2 more entries hit the log after that (which I also cleared). :)


It's gone.


Ctrl+F5, it's probably cached.


Then the post should be flagged.


Yeah, not cool.


According to Google, the leak is working as intended, so I think your problem should be with Google if you don't like their features. Who wants to guess how long until advertisers use this to confirm their guesses for people's identities.


This is why we can't have nice things.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: