Google: Account Information Leak

With an average computer user having online accounts on dozens of websites these days, it is not uncommon for people to lose access to their beloved accounts due to a variety of reasons. Companies often try their best to make it as easy as possible for the users to have access to their online accounts restored. Unfortunately, sometimes this can turn out to be too friendly, as I will demonstrate below.

Using Google Account Recovery, you can retrieve private information, such as names and profile photos, belonging to accounts other than yours too.

The only requirement is an email address associated with a Google account.

How it works

Upon reaching the Account Recovery page, you are presented with the following options:

Having trouble signing in?

  • I don't know my password
  • I don't know my username
  • I'm having other problems signing in

On selecting "I don't know my password", you are prompted to enter the email address associated with your Google account.

On entering the email address, you are presented with varying levels of information, depending on the amount of information provided to Google by the account holder.

Worst affected are Google Plus users, since both the profile photos and the names of the users are leaked in their case.

For example, in case the address you entered has a Google Plus profile associated with itself, you will be presented with something similar to the following:

Google Account Information Leak

Google showing the Profile Photo and the Name associated with an account

Note: The information shown in the image above belongs to a pseudo profile created for testing purposes.

As you can see above, I was presented with the profile photo and the name associated with my Google account, even though I had unchecked "Help others discover my profile in search results", in Google Plus profile settings.

If you do not have a Google Plus account, then only the name associated with an account is displayed.

For some addresses — presumably the ones without a Google Plus profile and without any given name — no information is leaked.


I reported this to the Google security team last month, but they claimed that this works as intended. If that is indeed the case, then in my opinion, it is a serious flaw in how they treat private information.

I believe that simply by using an email address (which can be obtained from any number of sources, what with the regular account dumps posted online — belonging to hacked websites), such personally identifiable information should not be disclosed.


Comments powered by Disqus