Hacker News new | ask | show | jobs
by socket0 3330 days ago
I'm going to have to agree with Google here, in that this isn't an exploitable security vulnerability. Knowing that the mailboxes famous.celebrity@gmail.com or controversial.journalist@gmail.com exist doesn't bring me any closer to exploiting the knowledge. I don't know that Famous Celebrity is in fact THE famous celebrity. I don't know whether Controversial Journalist still reads mail sent to that account. Most importantly, I don't learn anything I couldn't have learned by sending messages to every likely permutation of famous.celebrity@gmail.com. This won't teach me anything particularly useful for spearfishing, as I'm just throwing out a net hoping something gets caught.
1 comments
qb45 3330 days ago
To verify the existence of a single account all you need to do is go to gmail.com and attempt logging into it. It's that simple. Sometimes you will even see the profile pic so you know who this user is or claims to be.

The OP found a way to discover 40000 new addresses of random people per day by brute forcing through a dictionary-generated list of plausible candidates.

Use it for Nigerian scams, Viagra ads, account hijacking, anything you please.

link
puddintane 3329 days ago
This feature really grinds my gears. They should at least allow a feature to disable showing the picture/name until the user has logged in. In some cases I'm handing out my email to avoid handing out my actual identity because I don't want to be spammed or followed. Until then I will continue to use a false name and photo under my accounts signed up to google (apart from the one work email I have thru them).
link
ggambetta 3329 days ago
AFAIK the picture is only shown if Google is reasonably confident that it is actually you trying to log in.
link
qb45 3329 days ago
> AFAIK the picture is only shown if Google is reasonably confident that it is actually you trying to log in.

I didn't know about this feature, but I often saw pictures of people I know when I tried. Apparently, it seems that for example just sharing IP address is sufficient to trigger this reasonable confidence. Not sure what other ways there may be. But indeed, it didn't work for a few random strangers from LKML I just tried.

link
ggambetta 3328 days ago
IP is a factor, but it's actually much more sophisticated than that :)
link
puddintane 3329 days ago
Thank you for this information - seems to be so - just tried a VPN from Canada and it only shows the email that I entered. However I still would like to disable it on the off chance that someone in the future messes up. May never happen but I'd like to not take that risk. Thank you none-the-less as that has eased my mind a little bit.
link
grouseway 3330 days ago
Sounds like a SAAS - verify emails from gmail, hotmail, etc...
link
Dru89 3329 days ago
With as many accounts on these services that actually exist, it still doesn't answer the question of whether or not the person actually owns the email.
link
c8g 3329 days ago
>Sometimes you will even see the profile pic

if it was your account

link