Feb. 12, 2010

Posted by in Google | 7 comments

Using Google Buzz Can Expose Your Gmail Address

I’ve discovered another trick that may surprise some, this time relating to Google’s services. I don’t view the issue as a vulnerability, but it likely goes against user privacy expectations. In short, having a public Google profile (which you might have created when checking out Google Buzz) can allow others to figure out your Gmail address.

This really shouldn’t be that surprising, given that your username is generally consistent across Google services, and a public profile is public. But those who currently have numeric profile addresses (e.g. http://www.google.com/profiles/104424237445852766735) might think their profile is not easily tied to their username.

But by using Picasa, Google’s photo sharing service, it’s often quite simple to go from a numeric profile address to an actual username. To protect yourself from this access, visit the Picasa settings page.  Under “Your gallery URL,” add a new username and select the new username for your gallery URL. Also, you may want to edit your nickname.

In my testing thus far, it matters little whether you’ve used Picasa before – if you have a Gmail account, Picasa is also enabled on your account. And while individual Picasa albums have privacy controls, I have not found a way to block simply loading your Picasa home page.

With the introduction of Buzz, Google is encouraging users to take advantage of Google profiles. But in the process, Google is tying together services that many users may have treated quite distinctly in the past. If you want your Gmail address to remain private, you need to manage properly the other Google services you use to avoid one of them exposing your Gmail username.

Update (Feb. 13): It appears Google has adjusted their services to prevent the original URI trick from working. Previously, adding a profile number to picasaweb.google.com (e.g.  http://picasaweb.google.com/104424237445852766735) would either load a page with the username visible, the username embedded in the page’s source code (_user.name in JavaScript), or an error page in a few particular instances. One configuration that would simply produce an error page was if you had Picasa setup under a different username than your Gmail username, hence my advice. It now seems that using a numeric Picasa URI will either load an error page if the user does have Picasa setup or a page indicating the user does not have Picasa galleries but with no username anywhere in the page.

I’ve already done some preliminary testing to see if Google Reader could also be used to discover usernames, but so far that does not seem possible. Still, it’s wise to be cautious when using a tool that interacts with so many other services.

  1. Isn’t that the same info you get from a Google Profile URL?

  2. @Robin: As I described, some users use numeric profile URLs, which do not automatically reveal the Gmail username.

  3. Good to see you doing something besides f**book.

    You see this? http://seclists.org/fulldisclosure/2010/Feb/235

  4. @meh: Yes, I did see it, but hadn’t gotten around to testing it myself yet. Also wasn’t sure how exploitable it would be.

  5. Thanks for the tip – Even though neither the BF nor I are really using Buzz, I’ve been following the articles on it as it evolves… I’ve just switched both our usernames on Picasa – that information, whether you use Buzz or not, should not be visable and usable to the public.

    Now if I could just get Google to let me have a vanity URL that is NOT my email address on my google profile, I’d be happy.

  6. Victoria Katsarou says:

    Hi there,

    My name is Victoria and I work in Google Communications. Our engineers worked hard to address this issue and it is now resolved. Thanks for bringing it to our attention. Feel free to contact me for more details.

    Victoria

  7. @Victoria Katsarou & @theharmonyguy

    1,86,631.00

    In RESPONSE TO:
    “To protect yourself from this access, visit the Picasa settings page. Under “Your gallery URL,” add a new username and select the new username for your gallery URL. Also, you may want to edit your nickname”

    BUT
    When I went to settings-general-Your Public URL..
    it doesnt have “create a new google username” option anymore. Is it not available anymore?
    Even when I looked at help pages, (which were last updated on 24th feb2010), it tells the following : (thatd oesnt mention the option to create a new google username for picasa album public url)

    FROM THE HELP PAGES:

    Album Privacy: Public gallery URLPrint Your Public Gallery can either be based on your Google Profile ID number or your Google Account username. Follow these steps to change the URL:

    Sign in to your account at http://picasaweb.google.com.
    Click Settings at the top right of the page.
    Click the General tab.
    In the “Your Gallery URL” section, you have the option to choose between your username or your Google Profile ID. To change your Public Gallery web address, click Change your URL.
    Select the name you’d like to use and click Save.
    Click Save changes at the bottom of the Settings page.
    Please note that changing your Public Gallery URL does not change your sign-in name. You should continue to sign in with the Google Account username and password that you created your account with.

    If you’re creating a new Picasa Web Albums account, your default username will be your Google Profile ID number.
    updated 2/24/2010

Trackbacks/Pingbacks

  1. Too Easy: How a Simple Hack Can Turn Your Numeric Google Profile URL Back into a Gmail Address - www.Korallenkacke.com - [...] of your username. However, as it turns out, this isn’t a foolproof method either. By using a very simple ...
  2. Too Easy: How a Simple Hack Can Turn Your Numeric Google Profile URL Back into a Gmail Address | Programming Blog - [...] of your username. However, as it turns out, this isn’t a foolproof method either. By using a very simple ...
  3. Too Easy: How a Simple Hack Can Turn Your Numeric Google Profile URL Back into a Gmail Address | Family Learning Center - [...] of your username. However, as it turns out, this isn’t a foolproof method either. By using a very simple ...
  4. Google: We May Remove Buzz From Gmail - [...] Danny Sullivan has spoken with Bradley Horowitz, Google’s VP of Product Marketing, about some of the Buzz issues at ...
  5. Is Google Going to Remove Buzz From Gmail? | The Express Art Blog - [...] the Internet began questioning the service. Was it giving away too much information? Potentially exposing your Gmail address? I ...
  6. Too Easy: How a Simple Hack Can Turn Your Numeric Google Profile URL Back into a Gmail Address | Tech News From All Over The Net - [...] of your username. However, as it turns out, this isn’t a foolproof method either. By using a very simple ...
  7. Google May Offer Buzz Independently From Gmail « Jithu Thomas's Blog - [...] Meanwhile, there’s also the privacy issue. Since Buzz is tied to Gmail, people are forced to expose their Gmail ...
  8. AMB Album » Too Easy: How a Simple Hack Can Turn Your Numeric Google Profile URL Back into a Gmail Address - [...] of your username. However, as it turns out, this isn’t a foolproof method either. By using a very simple ...
  9. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] | Raise Your Marketing IQ - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  10. How A Simple URL Hack Can Expose Your Gmail Address | Lifehacker Australia - [...] Using Google Buzz Can Expose Your Gmail Address [Social Hacking via ReadWriteWeb] Tagged:gmailgoogleprivacysecurity ...
  11. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] | bruno trani dot info - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  12. The Far Edge » Blog Archive » How a Simple URL Hack Can Expose Your Gmail Address [Privacy] - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  13. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] | Tech News From All Over The Net - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  14. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] - www.webege.com - deep web news radio - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  15. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] | TechBlogs Today - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  16. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] | wwwhat's new? - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  17. Using Google Buzz Can Expose Your Gmail Address | Social Hacking | Gmail HOT news - [...] the original post:  Using Google Buzz Can Expose Your Gmail Address | Social Hacking Tags: a-albums-have, ecommerce, ...
  18. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] | Techno Portal - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  19. Using Google Buzz Can Expose Your Gmail … « hung.TEXT - [...] Using Google Buzz Can Expose Your Gmail … Using Google Buzz Can Expose Your Gmail Address [...]
  20. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] | Bestel uit china - [...] have been public, as well as they tie together in some-more ways than we competence realize. Using Google Buzz ...
  21. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] | Programming Blog - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  22. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] - 10027th Edition | Technology Revealed - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  23. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] | Phatboi's Blog-Roll - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  24. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  25. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] - 25 Popular Blogs - Popular Bloggers.com - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  26. Not evil, just misunderstood – discourse and notes - [...] linking of Google Buzz to the Gmail system – which is at the root of the privacy issues and ...
  27. Teknologeek.com » Google Buzz de Gmail y sus Muchos problemas de Privacidad - [...] gente. por ejemplo, desde que salió Buzz atato a Gmail, la gente se ha visto forzada por google a ...
  28. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] | bibeh.com - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  29. Using Google Buzz Can Expose Your Gmail Address | Social Hacking - [...] Here is the original: Using Google Buzz Can Expose Your Gmail Address | Social Hacking [...]
  30. URL Not Found - [...] Than Bing's Own DomainAdding custom share / bookmark links on posts & pages | mou.me.ukUsing Google Buzz Can Expose ...
  31. links for 2010-02-14 | Stratepedia Blog - [...] Using Google Buzz Can Expose Your Gmail Address (tags: google buzz e-mail privacy) [...]
  32. On Google Buzz and Other Search Engine News | Too Much News - [...] Using Google Buzz Can Expose Your Gmail Address [...]
  33. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] | Chaitu's - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  34. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] · TechBlogger - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  35. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] - 10066th Edition | Technology Revealed - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  36. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] - 10041th Edition | Technology Revealed - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  37. Google’s is creating the Buzz more secure in few more days | wordpressapi.com - [...] What we have also yet to see next week is whether Buzz users can still make use of a ...
  38. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] - www. netai.net - deep web news radio - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  39. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] | The Everything Forums Blog - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  40. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] - www.hostei.com - deep web news radio - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  41. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] - www.hostzi.com - deep web news radio - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  42. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] - www.vacau.com - Deep Web News Radio - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  43. URL Not Found - [...] [...]
  44. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] | News URL - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  45. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] | UpOff.com - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  46. Another Google Buzz hole « 0ddn1x: tricks with *nix - [...] Google Buzz hole Filed under: News, Security — 0ddn1x @ 2010-02-16 18:17:05 +0000 http://theharmonyguy.com/2010/02/12/using-google-buzz-can-expose-your-gmail-address/ Leave ...
  47. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] - www.comxa.com - Deep Web News Radio - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  48. How a Simple URL Hack Can Expose Your Gmail Address [Privacy] - www.host56.com - Deep Web News Radio - [...] Google accounts, they really are public, and they tie together in more ways than you might realize. Using Google ...
  49. Google May Offer Buzz Independently From Gmail | GetMeSEO.com - [...] Meanwhile, there’s also the privacy issue. Since Buzz is tied to Gmail, people are forced to expose their Gmail ...

Leave a Reply