Rohmad Hidayah

Published On: 09 Dec 2024

Revealing Other Users' Gender Even If Set to "Only You" via Google Chat

Privacy/Authentication
Google | Web
---
UNDEFINED OTHER
Description

In Google account settings, users can set "Choose who can see your gender" to "Only you" or "Anyone". When set to "Only you" it means the information is private, but this bug could reveal it.

Show Image

Impact

Reveal other users' gender even if set to "Only you".




Reproduction Steps

Step
1

Users

- User A (attacker)

- User B (victim)

Step
2

Steps

1. From User A add User B to your space by intercepting the request using a proxy tool like Burp Suite.

2. In Burp Suite's HTTP history, you will see a POST request sent to the /u/0/api/list_topics?c=RANDOM_NUMBER endpoint with some parameters in the body.

3. User B's gender will be revealed in the response body.

Videos

Timeline
.
Rohmad 25 Nov 2024

Submit a report

.
Google 26 Nov 2024

Triaged

.
Google 29 Nov 2024

Closed Hi. I can't reproduce this report. I can only see list_members requests, not list_topics when I "Add members". In the list_members response, I c ... See More

.
Rohmad 30 Nov 2024

More info sent

.
Google 02 Dec 2024

Triaged

.
Google 03 Dec 2024

Closed Hi! Unfortunately, we cannot reproduce the issue you reported. Your video (at 1:19) shows exactly what we describe. You only see the gender of th ... See More

.
Rohmad 03 Dec 2024

Reply Hi, please correct it again. [email protected] is the victim, while [email protected] is the attacker. [email protected] has set th ... See More

.
Google 03 Dec 2024

Reply Hi! As we mentioned before

.
Rohmad 03 Dec 2024

Request disclosure

.
Google 04 Dec 2024

Disclosure approved

OTHER






Show All Images