Re: full name disclosure information leak in google drive

[kevin mcsheehan <kevin () mcsheehan com>]

> When you sign up for a Google account and create a profile

when they say "create a profile" they're referring to google plus. the  
302 on https://profiles.google.com should be a solid indicator of  
that. this vulnerability is capable of targeting non-g+ users, and  
that's the point.

here is an example of google acknowledging that names are personal  
information: http://i.imgur.com/VHLfcC2.png


Quoting Daniel Miller <bonsaiviking () gmail com>:

> On Wed, Jan 21, 2015 at 2:26 PM, kevin mcsheehan <kevin () mcsheehan com>
> wrote:
>
> > exploit title: full name disclosure information leak in google drive
> > software link: https://drive.google.com/drive/#my-drive
> > author: kevin mcsheehan
> > website: http://mcsheehan.com
> > email: kevin () mcsheehan com
> > date: 01/20/15
> >
> > source: http://mcsheehan.com/?p=15
> >
> > description: google drive leaks the full name of a target email address
> > when said email address is associated with an uploaded file. the full name
> > is displayed whether or not the target has made that information publicly
> > accessible by creating a google plus account.
>
> I'm pretty sure Google doesn't consider this sort of thing a vulnerability.
> Here's their "it's not a bug" page for it:
> https://sites.google.com/site/bughunteruniversity/nonvuln/discover-your-name-based-on-e-mail-address
>
> Dan



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/