How to identify the Google account registration email address of the user who accessed the page

The e-mail address of the Google account is a mail address commonly used for various services provided by Google and there are many scenes to use. A web developer Tom Anthony has published a blog on how to identify the Google Account email address of the user who accessed the page using Google's attaching parameters for redirects.

How to confirm a Google user's specific email address (Bug Bounty Submission) - Tom Anthony

On Google's login page, we often pass the "continue" parameter to the URL to redirect us to log the original page instead of the top page after logging in. Of course, if you are already logged in to your Google Account, you will be redirected directly to the specific URL in the continue parameter.

This behavior makes it easy to distinguish whether users are signed in to their Google account. For example, if you set up an image image to be displayed after logging in the site and check if the image image was read using JavaScript's "onload" "onerror" function, the user who accessed the site will You can detect if you are logged in.

Anthony created the above idea using the demo page below. By entering the email address you registered for your Google Account and clicking "Submit" you can see if you are signed in to your Google Account.

Google Account Leak

Although it seems that there is no big problem in checking such login status itself, Mr. Anthony uses parameters set in the same way, and the mail address that the account which the accessing account used for login is the address prepared beforehand It can be detected whether or not it is consistent with that. On the site Anthony prepared for demonstration, it seems that it was able to detect whether it matches 1000 addresses every 24 seconds from 23 seconds.

In the movie in Anthony's blog, you can see the demonstration of identifying Anthony's account from 20 account lists.

The method of checking the mail address of the person who accesses from the prepared address list in a round-robin manner seems to be at risk of identifying the mail address of the person who accessed it under very limited conditions . Although Anthony showed this method to Google and asked for repair as to whether it was a bug, from Google, it seems that there was a reply saying "It is an assumed behavior and not a bug" .

in Web Service,   Security, Posted by darkhorse_log