It's possible to harvest the site visitor email with the +1 Button

Showing 1-12 of 12 messages
It's possible to harvest the site visitor email with the +1 Button Felix Gertz 7/13/11 6:24 AM
When embed the Google +1 Button in a site and the visitor is logged in with his google account, the title-Attribute of the +1 button contains the emailaddress of the visitor.
As site operator it is possible to read this title-attribute with the containing emailadress via javascript and send it to a server for saving.
So the operator could collect all the emailadresses of his visitors or he could identify his revisit by a matching address.
My question, how can I disable this behaviour?
Re: It's possible to harvest the site visitor email with the +1 Button bhadaway 7/14/11 2:49 AM
You're misunderstanding. No one, but the person themselves logged into their own Google account will see their own email address in that title. It's in their cookies on their computer alone.

I imagine there might be something maybe a hacker COULD do, but the concern you're having is moot. In other words, I don't think there is anything to worry about.

Thanks, Bryan
Re: It's possible to harvest the site visitor email with the +1 Button Felix Gertz 7/14/11 3:06 AM
I don't think so, the javascript reading this title-attribute is also on the users computer/webbrowser/session on client side.
The DOM of the visited site was manipulated by the +1-button and includes the email after the +1-button script code was exceuted. So any other script executed after +1-button can access the DOM too and read it's content (emailadress), in this site context.
Any user that is logged in via google and visits a manipulated website, leaves his emailaddress.
Re: It's possible to harvest the site visitor email with the +1 Button bhadaway 7/14/11 3:21 AM
Is this speculative or are you sure? Are you sure Google hasn't already put a defense mechanism in place?

Thanks, Bryan
Re: It's possible to harvest the site visitor email with the +1 Button Felix Gertz 7/14/11 3:48 AM
I am sure. :)
Re: It's possible to harvest the site visitor email with the +1 Button bhadaway 7/14/11 4:26 AM
Well, hopefully a Google employee sees this topic then and can provide some insight.

Thanks, Bryan
Re: It's possible to harvest the site visitor email with the +1 Button Felix Gertz 7/14/11 4:29 AM
Yeah, hopefully, I did not found a more concrete forum or maillinglist for this technical problem of the +1 button.
Seems that they don't need such feedback.
Re: It's possible to harvest the site visitor email with the +1 Button bhadaway 7/14/11 4:34 AM
The best thing I could possibly find was this:

http://www.google.com/tools/feedback/intl/en/learnmore.html

Maybe try to note this as a bug?

Thanks, Bryan
Re: It's possible to harvest the site visitor email with the +1 Button bhadaway 7/14/11 4:35 AM
There's also http://www.google.com/security.html - but its kind of a dead end.

Thanks, Bryan
Re: It's possible to harvest the site visitor email with the +1 Button pierrefar 7/14/11 5:50 AM
Hi Felix,

It would be good to see a proof of concept page - you can send me a URL via a message through my profile. In the meantime I've passed on this report to the relevant team internally.

Thanks,
Pierre
Re: It's possible to harvest the site visitor email with the +1 Button Felix Gertz 7/14/11 6:01 AM
Hi Pierre,

thank you for your attention.

Since this is no open source project and I am not a Google employee, I can't spend the time to create a proof of concept page, unfortunately.
So if you will hire me I could do this. ;)

Please let us know what the internal team is saying to this problem.

Thanks,
Felix
Re: It's possible to harvest the site visitor email with the +1 Button bhadaway 7/14/11 6:10 AM
I hope the team tests this themselves instead of waiting for a shady person to abuse the +1 buttons AND then fix this issue.

Or at least I'd be interested to know if the security is already in place to combat this.

Thanks, Bryan