GSD-2022-1002519

Import Source
https://github.com/cloudsecurityalliance/gsd-database/blob/main/2022/1002xxx/GSD-2022-1002519.json
Withdrawn
2023-03-14T07:01:09.290966Z
Published
2022-05-20T03:09:17.390678Z
Modified
2023-03-14T07:01:09.290966Z
Details

In the Google Analytics admin web interface, current as of 2022-05-19 an information leakage exists in the Account Access Management and Property Access Management that can be used, resulting in an attacker determining if a Google-hosted email address is in fact a Google account or a google group, an alias to a user, or a user account. Additionally, if it is an alias Google will report the real email address associated with the alias.

If it's an account it will add it (e.g. kurt@seifried.org).

If it's a google group it will error out with: "Failed to register users" (e.g. group@seifried.org)

If it is an alias, it will error out with "One of the email addresses entered is the alternate email address of a Google Account (e.g. alias@seifried.org). The alternate email address has been changed to that account's primary email address." and it will change the email alias to the correct email.

References

Affected packages