|Harvesting email addresses surreptitiously
||[Jan. 7th, 2010|08:42 pm]
I realized there's a simple way to harvest the Gmail address of anyone who visits your web page, assuming they're logged in to Google:
Have I missed anything? Is this widely known? I wonder if anyone's doing it.
Edit. I looked at a document in Firebug and the URLs are of the form
http://spreadsheets.google.com/fm/bind?hl=en&fmcmd=80& (That link has now expired; there's a session ID in there.)
The result seems to be a JSON list that encodes all the operations that need to be performed on the front-end. I presume this behavior is part of the GWT (Google Widget Toolkit). I've verified that email addresses are sent as part of the result of that query. Now all I need to figure out is how to construct that URL given a document. A simpler alternative would be to write a browser plugin. Anyone interested in helping me demonstrate this?
There are APIs that allow you to harvest a bunch of information about a person given their email address. I think the most powerful (malicious) use of this hack would be to identify a visitor within a few seconds, and exploit the fact that social engineering attacks are much more likely to succeed if you address the person by name and/or know some details about them.