Finding the name behind the GMail address

Finding the name behind the GMail address

Summary: Ah, this is a fun little trick.  I'm not sure if it represents a vulnerability, but certainly I expect Google will try to get rid of this feature.

SHARE:

Ah, this is a fun little trick.  I'm not sure if it represents a vulnerability, but certainly I expect Google will try to get rid of this feature.  The SecuriTeam blog has reported that it is possible to expose the full name of the user who registered a GMail account.   This is, of course, contingent on the fact that the person who registered the GMail account didn't use a fake first and last name, but still, an interesting trick.

The reason this vulnerability exists is due to the strong tie-ins between GMail and all of Google's other services, such as Google Calendar, Blogger, and Google Code AND the strong desire for Google Apps to be able to share data with people.  This isn't the first time, the second time, or the last time the strong tie-ins have produced interesting results, see my post on Billy Rios's Google Code exploit, Billy's taking ownership (pwnership) of content attacks against Google Spreadsheets, Billy and I stealing documents from Google Docs, and see my talk at Black Hat for more.

The steps to accomplish this are as follows:

  1. Sign up for Google Calendar
  2. Go to the ’share this calendar’ tab
  3. Enter the email address in the ‘person’ box
  4. Click ‘add person’ and ’save’
  5. When you return to this screen you will see the first and last name along with the gmail address

The blog entry by SecuriTeam illustrates this:

Screenshots:

I always wondered who was behind admin@gmail.com

Tell google you want to share your calendar and put their gmail email address

Oh, I guess they figured people like me would be interested…

admin@gmail.com is a smart ass

If you are getting personalized emails from spammers to your gmail account, here’s an idea on how they got your name.

Ok, big deal right?  Well, yeah, it's not earth shattering, but it is extremely interesting from what could be done with it.  As soon as I saw this I could only think about Nitesh Dhanjani and Billy Rios's talk on Phishing, which will be at Black Hat Vegas again, and you should definitely go see it.  The talk centered around getting into the underground of identity theft and phishing.  One thing that was clearly demonstrated was the lack of intelligence of a number of Phishers.  This could give up the full names of some of those Phishers.  Go see Billy and Nitesh's talk this year, I'd be surprised if they haven't used this to their advantage.

-Nate

Topics: Cloud, Browser, Collaboration, Google, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Gmail USer Name

    Sorry Dear it didnt worked i gave a try already, kindly dont tell that google has fixed it by now, let me know if it really works....
    interDragon
    • It does

      It does really work, I tried it this morning, and also noticed that someone tried it against me as well, but I will say this... the Google Security Team moves like lightning. Say what you will about their disclosure of problems, but they move exceptionally fast. It would not surprise me if they already fixed this at least in that one area... this is of course not to say it isn't possible elsewhere.
      nmcfeters
      • It does work.

        I got the "smart ass" response when I put the admin e-mail address in.
        Matt.Pilatzke
        • Yep

          Just tried again myself and re-confirmed. Not sure what you missed, maybe try again, or shoot over the steps you used.

          -Nate
          nmcfeters
          • Missing A Few Steps In Certain Cases

            I think that, if you are already signed up for Google Calendar, you may be missing a few steps.

            What I had to do in order to get to step 2:

            1a. Log into account. (Duh.)

            1b. Once Calendar is up, select "Settings" in the upper right corner.

            1c. Under Calendar Settings, select "Calendars".

            There, next to your name under "Sharing", you will find the link to "Share this calendar" mentioned in step 2. Continue on from there.

            And, yep, it still works. ;)
            Whyaylooh
          • Thanks for the update

            I was already setup for Google Calendar, so I didn't have to do all of this.

            -Nate
            nmcfeters
  • RE: Finding the name behind the GMail address

    I tried to find out the name of the peson but unfortunately it didn't work. I tried to find out who is behing silviakarki414@gmail.com, but it gave me same name. I am sure that google might have either fixed the problem or the person should have used the google calender for this.
    ybasnet