For years, Google is offering two nice features with his gmail.com platform to gain more power of your email address. You can play with the “+” (plus) sign or “.” (dot) to create more email addresses linked to your primary one. Let’s take an example with John who’s the owner of john.doe@gmail.com. John can share the email address “john.doe+soccer@gmail.com” with his friends playing soccer or “john.doe+security@gmail.com” to register on forums talking about information security. It’s the same with dots. Google just ignore them. So “john.doe@gmail.com” is the same as “john.d.oe@gmail.com”. Many people use the “+” format to optimize the flood of email they receive every day and automatically process it / store it in separate folders. That’s nice but it can also be very useful to discover where an email address is being used.
A few days ago, Troy Hunt, the owner of haveibeenpwned.com service (if you don’t know it yet, just have a look and register!), announced that new massive dumps were in the wild for a total of ~1B passwords! The new dumps are called “Exploit.In” (593M entries) and “Anti Public Combo List” (427M entries). The sources of the leaks are not clear. I grabbed a copy of the data and searched for Google “+” email addresses.
Not surprising, I found +28K unique accounts! I extracted strings after the “+” sign and indexed everything in Splunk:
As you can see, we recognise some known online services:
- xtube (adult content)
- friendster (social network)
- filesavr (file exchange service in the cloud)
- linkedin (social network)
- bioware (gaming platform)
This does not mean that those platforms were breached (ok, LinkedIn was) but it can give some indicators…
Here is a dump of the top identified tags (with more than 3 characters to keep the list useful). You can download the complete CSV here.
| Tag | Count |
| xtube |
37 |
| spam |
18 |
| filedropper |
17 |
| daz3d |
12 |
| bioware |
11 |
| friendster |
10 |
| savage |
10 |
|
8 |
|
| eharmony |
7 |
| filesavr |
6 |
| bryce |
5 |
| savage2 |
5 |
| porn |
4 |
| precyl |
4 |
| bravenet |
3 |
| comicbookdb |
3 |
| freebie |
3 |
| freebiejeebies |
3 |
| freebies |
3 |
| hackforums |
3 |
| junk |
3 |
| kffl |
3 |
| social |
3 |
| youporn |
3 |
| 97979797 |
2 |
| brice |
2 |
| dazstudio |
2 |
| detnews |
2 |
| eharm |
2 |
| free |
2 |
| gamigo |
2 |
| hack |
2 |
| heroesofnewerth |
2 |
| itickets |
2 |
| lists |
2 |
| luther |
2 |
| paygr |
2 |
| policeauctions |
2 |
| test |
2 |
| texasmonthly |
2 |
| toddy |
2 |
| trzy |
2 |
| usercash |
2 |
| xtube2 |
2 |
[The post Identifying Sources of Leaks with the Gmail “+” Feature has been first published on /dev/random]
from Xavier
No comments:
Post a Comment