Hacker News new | past | comments | ask | show | jobs | submit login
Google Exploit – Steal Account Login Email Addresses (tomanthony.co.uk)
132 points by TomAnthony on Mar 8, 2014 | hide | past | favorite | 21 comments

Nice work! I use Google+ and I a. Like that you found a hole and reported it, and b. Google fixed it nice a promptly.

I hope you get the bounty.

Yeah - the Google security team are very good in my experience. They are very fast to respond and to fix problems, and are communicative all the way through.

Bugs will always come up in systems as large as theirs, and it is nice to speak to as team so receptive to reports.

Glad that this was fixed quickly. Thanks for giving the relevant team a chance to close this hole, Tom, and likewise for the other bug that you alluded to in your blog post.

Definitely think it is worth a bounty. For example I have a YouTube account(therefore a google plus account) that I don't want to share as my personal email.

This bug was literally the exact reason I did not acctualy want to connect my YouTube account to google plus. But there was no real choice more like, take it or leave it.

I segregate some activity across different Google accounts. By using different browser makes (Chrome versus Firefox versus...). And/or by using different data profiles in those browsers (not just the "change user" feature of the Google web properties, but a completely different browser profile subdirectory).

My oldest and most-used Google account (formerly known as a Gmail account), I refuse to Google+ify, as long as I can. For reasons like the OP situation and others.

A while back, I needed to use Hangouts. I +ified another Gmail account that I used for a subset of general business contact. If/when it is borked, I can walk away from it. And it doesn't contain data I worry overly about "bleeding".

Yeah - there was a lot of backlash around the move to a single account for everything. It isn't just YouTube either, Picasa and others also set you up in the same ecosystem.

There are plenty of people who don't want the email address used to log in to these accounts to be public.

What's wrong with registering a second Google account for Youtube only (and not using its Gmail part)?

Nothing! Lots of people do that, I believe.

The problem is this bug would have let me easily find out your secret YouTube email address.

You then have to be very disciplined about logging your google accounts in and out, and either give up on tabbed browsing or have a youtube-only browser and an "other" browser.

On Android, you don't have this choice.

I deleted my whole Google+ profile in order to disconnect the connection I accidentally made earlier. It was the only way I could see to do it.

Disconnect your channel from the G+ profile and link to a G+ Page instead: https://support.google.com/youtube/answer/2897336

It's getting more difficult. The Google iOS apps for Gmail and YouTube for example use the same user credentials, i.e., I can no longer have only my Gmail account in the Gmail app and only my YouTube account in the YouTube app.

Nice work, but I hate how he has to say "Google should let me know next week whether this qualifies for a bounty; I’ll update this post when they do." -- He's the one who did Google a favor! For him to have to be in this position where he's hoping for a bounty, and Google has no incentives to give him one is kinda a crappy position to be in. We need an intermediary for security exploits that can negotiate bounties before full information about the exploit is revealed. Perhaps something already exists?

OP here.

I understand the essence of your point and agree with it to some extent, but I think in this instance I wasn't clear. Google are transparent about their process and let me know they'd vote on it at their next meeting. I've clarified the language in my post.

The idea of an intermediary is an interesting one, certainly for smaller companies. However, for the company to be able to work out the value of the bug, they'd need to know enough details to 'score' the bug such they could maybe find it. Either way, you'd end up needing some trust.

However, the idea of a service to manage all that for small companies is a good idea. It reminds me of the Common Vulnerability Scoring System (http://www.first.org/cvss) for scoring such exploits.

In your case it would have been easy "I have an exploit that let's me get the e-mail address of every Google+ account". Then they could decide how much that's worth to them.

But I also don't see how that would play out. If their offer is too low what would you do then? You can't sell it to someone else as this is most likely illegal and just keeping it for yourself is also not a great choice.

Well, we have an official reward program with published criteria, and to a large extent, it's just a matter of reputation: if we were unfair or stingy, it would be a very short-sighted strategy.

That aside, having another party getting advance knowledge about the bugs is risky: it just gives bad actors a juicy target to infiltrate to get a steady supply of 0-days.

Something doesn't exist because these companies do try to pay out very reasonable bug bounties to people who catch bugs. The more lucrative it is to find a bug and disclose it responsibly on Google, the more people will actually take the time and effort to do so.

I'm pretty sure there are people who would've paid to get private access to this workaround, and so I hope you will in fact get rewarded for the time well spent.

Yes, I think there is a market for things like this, but I'm a Google user so even putting ethics aside it wouldn't be a great long-term move!

On the flip side, without the bounty programs a lot of people wouldn't be as motivated to dig around to find such bugs.

Clean and professional for the 2 sides. I like it!

Good job and thanks for reporting it. I can see this qualifying for a bounty and hope you'll get it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact