Finding the name behind the GMail address

Ah, this is a fun little trick. I’m not sure if it represents a vulnerability, but certainly I expect Google will try to get rid of this feature. The SecuriTeam blog has reported that it is possible to expose the full name of the user who registered a GMail account. This is, of course, contingent on the fact that the person who registered the GMail account didn’t use a fake first and last name, but still, an interesting trick.

The reason this vulnerability exists is due to the strong tie-ins between GMail and all of Google’s other services, such as Google Calendar, Blogger, and Google Code AND the strong desire for Google Apps to be able to share data with people. This isn’t the first time, the second time, or the last time the strong tie-ins have produced interesting results, see my post on Billy Rios’s Google Code exploit, Billy’s taking ownership (pwnership) of content attacks against Google Spreadsheets, Billy and I stealing documents from Google Docs, and see my talk at Black Hat for more.

The steps to accomplish this are as follows:

  1. Sign up for Google Calendar
  2. Go to the ’share this calendar’ tab
  3. Enter the email address in the ‘person’ box
  4. Click ‘add person’ and ’save’
  5. When you return to this screen you will see the first and last name along with the gmail address
Read the rest of this entry

[Source: zdnet]