How A Simple URL Hack Can Expose Your Gmail Address

Google took a lot of flack over privacy concerns this week, like over a loophole that allowed people to figure out your private email address in replies. Security weblog Social Hacking details another method your Gmail address is exposed using a URL hack.

The Social Hacking post points out that users with numeric profile address (e.g.,—the numeric address of the post's author) may think that means their Google account username is still hidden. Turns out with that number, it's actually very easy to divine a user's account id. Here's how it works (from ReadWriteWeb):

First, you simply copy the numbers from a user's Google profile and then append these numbers to[numbers] .

For some users who haven't customised their Picasa page, the username (which is also their Gmail address) will come right up. If the user has customised the account and added a nickname, you simply have to replace the URL in the address bar with javascript:alert(; and a small pop-up window will show you the username.

The solution, from Social Hacking:

To protect yourself from this access, visit the Picasa settings page. Under "Your gallery URL," add a new username and select the new username for your gallery URL. Also, you may want to edit your nickname.

I suppose the point here isn't that Google's done you wrong in every way, but it's worth recognising that when you go public with Google accounts, they really are public, and they tie together in more ways than you might realise.

Using Google Buzz Can Expose Your Gmail Address [Social Hacking via ReadWriteWeb]


Be the first to comment on this story!

Trending Stories Right Now