Facebook would probably just consider this a feature, but the rest of us will definitely consider this a big security hole. The creator of http://guntada.blogspot.com (don’t visit that site just yet) emailed us this morning to explain. If you’re already logged in to any Google account (Gmail, etc.), and visit that site, he’s harvested your Google email. And proves it by emailing you immediately. http://tctechcrunch.files.wordpress.com/2010/11/emailms.jpg
And it even works in “incognito” mode (also known as porn mode).
What is the exploit? We don’t know, and Google has yet to respond to us about it. We note that the site doing the exploiting is on Google’s own blogging platform. One developer we spoke with was confused as well, saying:
i have no idea what this is exploiting but there’s a decent chance it has something to do with Friend Connect and the way it passes data between iFrames (ie yes, it very well could be opensocial related). whatever is going on it’s an extremely serious security and privacy violation and i am confident google will address this in moments counted in minutes.
i can’t recall ever having seen anything like this on a major IdP’s website. it’s scary stuff.
If you insist on trying this yourself (hey, I did), the email to you will likely be in your spam filter.
This isn’t a particularly dangerous exploit, but it sure is something a lot of people would love to have on their own sites. The ability to harvest emails from anyone already signed into Google, not to mention just see exactly who’s visiting the site, is extremely valuable. See the second comment thread here for a related issue with App Engine a month ago.
Update: The site is now down. Here’s what it looked like: