| It's possible to harvest the site visitor email with the +1 Button | Felix Gertz | 7/13/11 6:24 AM | When embed the Google +1 Button in a site and the visitor is logged in with his google account, the title-Attribute of the +1 button contains the emailaddress of the visitor. As site operator it is possible to read this title-attribute with the conta |
| Re: It's possible to harvest the site visitor email with the +1 Button | bhadaway | 7/14/11 2:49 AM | You're misunderstanding. No one, but the person themselves logged into their own Google account will see their own email address in that title. It's in their cookies on their computer alone. I imagine there might be something maybe a hacker COULD do |
| Re: It's possible to harvest the site visitor email with the +1 Button | Felix Gertz | 7/14/11 3:06 AM | I don't think so, the javascript reading this title-attribute is also on the users computer/webbrowser/session on client side. The DOM of the visited site was manipulated by the +1-button and includes the email after the +1-button script code was exc |
| Re: It's possible to harvest the site visitor email with the +1 Button | bhadaway | 7/14/11 3:21 AM | Is this speculative or are you sure? Are you sure Google hasn't already put a defense mechanism in place? Thanks, Bryan |
| Re: It's possible to harvest the site visitor email with the +1 Button | Felix Gertz | 7/14/11 3:48 AM | I am sure. :) |
| Re: It's possible to harvest the site visitor email with the +1 Button | bhadaway | 7/14/11 4:26 AM | Well, hopefully a Google employee sees this topic then and can provide some insight. Thanks, Bryan |
| Re: It's possible to harvest the site visitor email with the +1 Button | Felix Gertz | 7/14/11 4:29 AM | Yeah, hopefully, I did not found a more concrete forum or maillinglist for this technical problem of the +1 button. Seems that they don't need such feedback. |
| Re: It's possible to harvest the site visitor email with the +1 Button | bhadaway | 7/14/11 4:34 AM | The best thing I could possibly find was this: http://www.google.com/tools/feedback/intl/en/learnmore.html Maybe try to note this as a bug? Thanks, Bryan |
| Re: It's possible to harvest the site visitor email with the +1 Button | bhadaway | 7/14/11 4:35 AM | There's also http://www.google.com/security.html - but its kind of a dead end. Thanks, Bryan |
| Re: It's possible to harvest the site visitor email with the +1 Button | pierrefar | 7/14/11 5:50 AM | Hi Felix, It would be good to see a proof of concept page - you can send me a URL via a message through my profile. In the meantime I've passed on this report to the relevant team internally. Thanks,Pierre |
| Re: It's possible to harvest the site visitor email with the +1 Button | Felix Gertz | 7/14/11 6:01 AM | Hi Pierre, thank you for your attention. Since this is no open source project and I am not a Google employee, I can't spend the time to create a proof of concept page, unfortunately. So if you will hire me I could do this. ;) Please let us know wh |
| Re: It's possible to harvest the site visitor email with the +1 Button | bhadaway | 7/14/11 6:10 AM | I hope the team tests this themselves instead of waiting for a shady person to abuse the +1 buttons AND then fix this issue. Or at least I'd be interested to know if the security is already in place to combat this. Thanks, Bryan |