Google raised a lot of privacy concerns this week over things like allowing people to figure out your private email address in Buzz replies. Security weblog Social Hacking details another method your Gmail address can be exposed using a URL hack.
The Social Hacking post points out that users with numeric profile address (e.g., http://www.google.com/profiles/104424237445852766735–the numeric address of the post’s author) may think that means their Google account username is still hidden. Turns out with that number, it’s actually very easy to divine a user’s account id. Here’s how it works (from ReadWriteWeb):
First, you simply copy the numbers from a user’s Google profile and then append these numbers to http://picasaweb.google.com/[numbers].
For some users who haven’t customized their Picasa page, the username (which is also their Gmail address) will come right up. If the user has customized the account and added a nickname, you simply have to replace the URL in the address bar with javascript:alert(_user.name); and a small pop-up window will show you the username.
The solution, from Social Hacking:
To protect yourself from this access, visit the Picasa settings page. Under “Your gallery URL,” add a new username and select the new username for your gallery URL. Also, you may want to edit your nickname.
I suppose the point here isn’t that Google’s done you wrong in every way, but it’s worth recognizing that when you go public with Google accounts, they really are public, and they tie together in more ways than you might realize.
