When you sign up for a Google account and create a profile
when they say "create a profile" they're referring to google plus. the
302 on https://profiles.google.com should be a solid indicator of
that. this vulnerability is capable of targeting non-g+ users, and
that's the point.
here is an example of google acknowledging that names are personal
information: http://i.imgur.com/VHLfcC2.png
Quoting Daniel Miller <[email protected]>:
On Wed, Jan 21, 2015 at 2:26 PM, kevin mcsheehan <[email protected]>
wrote:
exploit title: full name disclosure information leak in google drive
software link: https://drive.google.com/drive/#my-drive
author: kevin mcsheehan
website: http://mcsheehan.com
email: [email protected]
date: 01/20/15
source: http://mcsheehan.com/?p=15
description: google drive leaks the full name of a target email address
when said email address is associated with an uploaded file. the full name
is displayed whether or not the target has made that information publicly
accessible by creating a google plus account.
I'm pretty sure Google doesn't consider this sort of thing a vulnerability.
Here's their "it's not a bug" page for it:
https://sites.google.com/site/bughunteruniversity/nonvuln/discover-your-name-based-on-e-mail-address
Dan
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
