[mirimir]

Google cache: https://webcache.googleusercontent.com/search?q=cache:kv9fSs...

> Exploiting Clickjacking on Google YOLO allows visitors' name, profile picture and email address to be leaked. That's right, I can even know your email address. :). Click here if you want to see behind the sense (make sure you have logged in Google with a modern browser, PC preferably).

Google's reply to a VRP submission:

> Thanks for your bug report and research to keep our users secure! We've investigated your submission and made the decision not to track it as a security bug.

> The login widget has to be frameable for it to work. I'm not sure how we could fix this to prevent this problem, but thanks for the report!

That's why we don't trust login widgets, right?

[vvanders]

Damn, the amount of user trust they just burned by closing that with "as designed, won't fix" is staggering.

[stakecounter]

Yeah, I read through the post and (assuming I'm parsing it right) can't figure out why this hasn't caused a massive shitstorm already. Are they actually arguing that it's not a security bug because it's necessary for them to implement a 'one click sign in through Google' feature?

[varenc]

Likejacking Facebook likes has been around for 8+ years, leaks a similar amount of information, and there’s no big shitstorm. Not sure what the big difference between YOLO and FB’s like button are?

[stakecounter]

I was wondering whether this is actually the same as like jacking. Is the ‘leak’ in that case the ability for the Facebook page/post owner to be able to then look you up in the list of ‘likes’? If so, I think Facebook privacy settings may allow users to not leak their emails or pictures in this case.

Also, I think it’s more widespread given that ‘Google identity’ covers a large number of Google products, and signing into one signs into all. With Facebook any time I log in nowadays I open incognito, check messages, log out, whereas with Google I generally stay logged in, mostly because I want gmail and my cross device browsing history to work.

[bobross]

To me Likejacking is more like harvesting organic likes. And YOLO leaks email address which is PII.

[qaq]

Do you get user's email from FB’s like button? (edit typo)

[mirimir]

Basically, yes.

[harpiaharpyja]

That's insane.

[laurent123456]

Yet they silently blocked his website from using this API thus acknowledging it's actually an issue.

[jacquesm]

Shoot the messenger. SOP.

Maybe someone should tip off Google project Zero about this? Let's see if they mean it that they will hold themselves to the same standard.

[pred_]

Looks like they took it down for everyone [0]; maybe not the most elegant approach but at least it seems they're taking it more serious now.

[0]: https://stackoverflow.com/questions/50289065/google-yolo-sto...

[jacquesm]

It would be very interesting to see a split second exact timeline on this.

[pred_]

Indeed. A Google engineer stated on Twitter [0] that the shutdown of the service happened because apparently YOLO is only supposed to be accessible to whitelisted partners.

[0]: https://twitter.com/sirdarckcat/status/994867632355577862

[eganist]

Sounds like a fix.

By the terms of the VRP it sounds like the reporter is owed a payout.

[kerng]

Bounty deserved, yes. Fixed? No, they only blocked his address, anyone else can still grab your info on their sites.

[lallysingh]

Looks like it's blocked for everyone now

[Buge]

It's blocked for people who aren't on the whitelist.

[acqq]

Exactly. If it was about "just whitelisted partners" he discovered it was actually "everybody." It's not different than discovering that instead of the password just an empty string is enough.

[mirimir]

Well, that did protect users from his site, at least :)

[ComodoHacker]

They're burning developers and potential employees trust in the first place. This "we don't know how to fix it ==> not a bug" attitude is what's staggering.

[harpiaharpyja]

To me it shows a gross indifference to being dishonest even when speaking in an official capacity.

I want to say that I hope this is isolated and not a systemic part of their company culture but at this point I can't help but be cynical after this.

[jacquesm]

This keeps happening over and over again. I remarked the other day that the most feared words when reporting a serious bug are 'won't fix'. It is super annoying. If the feature can't be made to work safely then drop the feature.