Billions Users Data was public through Google Picasa API

Rajshekhar Rajaharia
3 min readApr 5, 2019

--

Recently google shut down its Picasa Web Albums Data API. But Google did very late to shutdown this API. Google’s billions user data got leaked and spammers are using and selling this data in many ways. Today in this post i’ll tell you that how users data was getting leak.

Picasa Web Albums Data API was giving a option to search any users detail by either UserID or Email. Here everyone was able to search any email id using Picasa API and Picasa API was returning their Name, Profile Update Time, Google Plus ID, Profile Picture and Album details etc. Google Apps or Business Accounts Details were also available their.

Google Apps or Business Accounts Details were also available there. The most dangerous thing was that Picasa API was also returning User’s Profile last update date and time. So Spammer were able to recognise if user’s email is active or not and if active that how active that is. For example if i am search my email its returning my name (Rajshekhar Rajaharia), Profile Updated Time and other details. You can see this in screenshot below.

In API Results, Profile Updated Date & Time was most dangerous value as Spammers/Hackers were able to determine if email or user’s profile is active or not.

Picasa API was a public API with no API Key or Token. There was no limit, People was able to request as much as they can. Anyone was able to fetch more than crores email’s data every day. The only thing you need was email list that is easily available on internet. And here spammer/hackers were able to validate them and fetch their Name, Photo, Profile Update Date & Time and Google Plus ID.

And The Real Game starts now. You have Millions ,Billions Email IDs and their Google Plus ID. Now You can fetch further details via Google Plus API or Google People API using Google Plus ID. These API will return whole data like Gender, Education Details, Location, Work History, Designation etc etc. Now you have everything and you can use this data in any way.

Google People API

In July 2013 Facebook fix the same Bug (Search by Email/Phone Number via Graph API)

The same issue was happening with Facebook. But nearby 2013 Facebook removed that option to search any user’s profile by their email or phone number because of privacy and data security.

In July 2013, I reported Facebook that by modifying some queries in Graph API i was still able to fetch user’s profile by their email or phone number. Facebook accepted that this was a vulnerability in their API and user’s privacy and data was on risk. Later they fixed the issue and paid around 2500$ as bug bounty.

Now you can determine how risky Google Picasa Web API was for Google and why google is shutting down these APIs.

Facebook WhiteHat Thanks Page (2013–2014)

--

--

Rajshekhar Rajaharia
Rajshekhar Rajaharia

Written by Rajshekhar Rajaharia

I am a Entrepreneur, Security Researcher & Growth Hacker. https://www.rajaharia.com/

No responses yet