Over the last few days, there has been a lot of buzz about how much private information your public Google profile contains if you don’t choose the right settings. The URL of your profile alone can already give away your Gmail address. To hide this address from public view, you can switch your profile URL away from showing your name to using an address that features a 21-digit number instead of your username. However, as it turns out, this isn’t a foolproof method either. By using a very simple trick, anybody can quickly figure out your Gmail address from these numbers.
Update: Google has now closed this loophole. Here is a statement we just got from a Google spokesperson:
Blogger harmonyguy helped us discover a bug that made it possible to discover a user’s email address based on their numeric profile ID. Our engineers worked hard to address this issue and it is now fixed.
Security blogger The Harmony Guy just told us about how this hack works. While the way to reveal these addresses isn’t obvious, you can easily follow along and try this method out yourself.
How does it work?
First, you simply copy the numbers from a user’s Google profile and then append these numbers to http://picasaweb.google.com/[numbers].
It’s important to note that this only works for Google users who also use the Picasa web service. This, however, is likely a large percentage of Gmail users.
How to Protect Yourself
In Picasa Web Albums, go to the settings page and add a new username. Then, select the new username for your gallery URL. As The Harmony Guy points out, you may also want to edit your nickname.
Is this a major issue for Google? Probably not. But given the ruckus around privacy, Buzz and Google Profiles these days, it is disheartening to see that it is this easy to circumvent the only way to hide your Gmail address from public view. After all, if you want to use Google Buzz, Google forces you to have a public profile.