I could use this to make a website where, when an HN admin looked at it, it looked great, but when anyone else did, it was full of ads, redirected to malware, or whatever.
Reddit could use it to figure out whether various celebrities were redditors and track what they look at. Even if they never log in! And if they did log in, reddit could find out what their username was.
And that's just what I was able to think up in 30 seconds.
With your first example, you could do that but it wouldn't be realistic to do that. Like I said, you'd have to know the admin's logged in Google email address already and then they'd have to sit on that page for over 2 hours before you even hit a statistical probability of a match. It would really only work if you were trying to target one specific person. If you were fishing for users from a leak of users or something, this would literally do nothing.
As for the Reddit option, Reddit would already know if the celebrities were redditors because they'd have to know their email address in advance anyways for this trick to work. No celebrity is going to risk setting up a Reddit account without an email address so Reddit already has that info. On top of that, what's reddit going to do with a celebrity's email address and username? It's already required for verification on anything important a celebrity would use it for (like an AMA or promos).
Val Kilmer is a redditor. What exactly would I gain from knowing if Val Kilmer is logged in to his Google account?
> they'd have to sit on that page for over 2 hours before you even hit a statistical probability of a match.
No, it would be instantaneous. If you have a specific email address in mind, you test it, and immediately get "yes, it's them" / "no, it's not them" in milliseconds.
> No celebrity is going to risk setting up a Reddit account without an email address
Huh? You don't think famous people have pseudonymous Internet accounts?
> Val Kilmer is a redditor. What exactly would I gain from knowing if Val Kilmer is logged in to his Google account?
"Val Kilmer's secret reddit username is i_love_horse_porn"
>No, it would be instantaneous. If you have a specific email address in mind, you test it, and immediately get "yes, it's them" / "no, it's not them" in milliseconds.
Again...you'd already have to know the email address and what benefit does it give you to know that this specific person is logged in? You'd have to somehow get that specific person to visit your page in the first place.
>pseudonymous Internet accounts
I know they do. I just don't see what that gets me if I already know their email address.
>i_love_horse_porn
The only people that would be able to gather this information from this exploit are Reddit admins and they'd already have that information from the email address. Even still... what would they even do with that information?
> Again...you'd already have to know the email address and what benefit does it give you to know that this specific person is logged in?
You can link users (that you target) to specific websites (that you indirectly control, even through something like a malicious ad).
> The only people that would be able to gather this information from this exploit are Reddit admins and they'd already have that information from the email address. Even still... what would they even do with that information?
No! I (as a non admin) could create a website that uses this exploit right now and link targets (like reddit admins of which I know the gmail) to my website. Post the website to reddit, and voila. Once they visit the site I know they did.
And again, I ask... What information or benefit does that give you that you didn't know before? This only works on specific people and targets that you've had to identify before using this. I have yet to hear of a specific example of this being used for nefarious purposes outside of confirming that someone visited a page and there are hundreds of ways to do that without needing to invoke this workaround.
> I know they do. I just don't see what that gets me if I already know their email address.
They most likely use another email address for their anonymous internet account but even if they do, they're likely to be logged in in their main google account at the same time (since you can be logged in in multiple email accounts).
So, in this case, reddit (or whatever popular website) admins would be able to gather more information than what they should be able to get. It's a loss of privacy for the person concerned..
Beside this, it could be used for phishing to make sure only your target is the one getting the phishing page.
Or, you could combine it with geoip to get the zip code of the person logging in, a lookup of the different names of people living in that zip code (through the yellow pages or equivalent) and just check all of the first name last name combinations @gmail.com. At the speed of 1000 possible email addresses every 25 seconds, you could probably guess the email of quite a few visitors I think.
>At the speed of 1000 possible email addresses every 25 seconds, you could probably guess the email of quite a few visitors I think.
No way! Do you know how many Google accounts are out there? As I mentioned before, the person would have to, at the rate given, stay on the site for 2 hours to even have a statistical chance of being guessed unless you knew exactly who the target was.
Overall, this issue seems to only concern a specific individual that's being targeted by another specific entity. It doesn't seem useful or workable at all if you're guessing against a set of known emails.
> No way! Do you know how many Google accounts are out there?
Doesn't matter, I don't care about them. I just care if the person reading right now has initials SB, SM or KAC and might be in a position to say "Sir, have you seen this article?" (note: I have no idea who in the Trump administration might be using non-archived private email or whether rhesus nut or them are actually using Gmail, initials were chosen for names I know are still in their positions at the time I'm writing this)
wouldn't you have to know the target's email in advance in both of those examples? And not just their email address, but the email address of the Google account they stay logged in to while browsing. If you know a celebrity's email address, you can probably do more than just show them targeted content on your website.
Reddit could use it to figure out whether various celebrities were redditors and track what they look at. Even if they never log in! And if they did log in, reddit could find out what their username was.
And that's just what I was able to think up in 30 seconds.