I've been tracking security holes that leak your identity for a while.<p>Via a bug in Firefox's Error object: <a href="http://33bits.org/2010/06/01/yet-another-identity-stealing-bug-will-creeping-normalcy-be-the-result/" rel="nofollow">http://33bits.org/2010/06/01/yet-another-identity-stealing-b...</a><p>Via a bug in Google spreadsheets: <a href="http://33bits.org/2010/02/22/google-docs-leaks-identity/" rel="nofollow">http://33bits.org/2010/02/22/google-docs-leaks-identity/</a> (I found this one :-)<p>Via history stealing: <a href="http://33bits.org/2010/02/18/cookies-supercookies-and-ubercookies-stealing-the-identity-of-web-visitors/" rel="nofollow">http://33bits.org/2010/02/18/cookies-supercookies-and-uberco...</a><p>More sophisticated, but hypothetical version of previous: <a href="http://33bits.org/2010/02/19/ubercookies-history-stealing-social-web/" rel="nofollow">http://33bits.org/2010/02/19/ubercookies-history-stealing-so...</a><p>XSS bugs and other problems with Instant personalization partner sites: <a href="http://33bits.org/2010/09/28/instant-personalization-privacy-flaws/" rel="nofollow">http://33bits.org/2010/09/28/instant-personalization-privacy...</a><p>I've also been predicting that this will eventually become the new normal -- both because the bugs are coming too fast to fix (and exploits in the wild will become more common) and because Facebook is pushing to change people's expectations with Instant Personalization.<p>The other day I attended a talk about one-click frauds. I realized that that's the perfect black-hat use-case for this class of attacks (although current 1-click fraudsters are apparently rather low tech). Stay tuned.
The non automatic version of this (with a appspot domain, not considered a bug, the guy logged in) has been used to discover the true identity of a guy who claimed to reveal insider info on Twitter about the French Socialist party (left - Partie Socialiste), he is a member of the opposite party UMP (right).<p><a href="http://www.rue89.com/2010/09/30/comment-le-faux-twitter-du-ps-tenu-par-lump-a-ete-debusque-168962" rel="nofollow">http://www.rue89.com/2010/09/30/comment-le-faux-twitter-du-p...</a>
Its funny that Google says "We encourage responsible disclosure of potential application security issues to security@google.com" yet they didn't reply back to this hacker who exploited the hole.
I just don't feel safe with Facebook connect. Seems like someone can get information from that as well. Don't like the whole logged in while on Facebook, to the whole internet.
One way to mitigate most of these holes is to separate email from web browsing. Some people actually use two different computers or browsers, but I just make sure to log out (not just close the tab with) my email before I browse any other sites. Even sites I trust (because they could have been hit by XSS or something).
It's clear this issue will be resolved shortly by Google (the site's already dead).<p>I just hope that, once fixed, the exploit is released for inspection.
i also think of it as feature. or near to it. hate signing up for sites as a user and as a developer hate that chicken egg issue with users who hate to sign up. i visit the site i click send me password and site looks me up sends me new password or remainder and i log in by just typing password. this as an example.
Why has not a single person mentioned that TC is just wrong? The problem is not that it gets your email address... it looks like it's likely that the website isn't even getting the gmail address.<p>It's much worse. The blog author is able to send emails through an API that appear to be from "noreply@gmail.com" with the proper headers. So instead of getting a funny little email, you get a phising email that even gmail isn't smart enough to block.<p>But, I mean, sure, let's act scared that some website can get my gmail. You want it? I'd be happy to give it to anyone, spam or otherwise.