Deck
⠀Chapters ???

Leaking the email of a Google account through Gaia ID

⠀⠀• Google Maps

⠀⠀• Google Drive

⠀⠀• Phishing

⠀⠀• Final result

⠀⠀• Disclosure

Leaking the email of a Google account through Gaia ID

It all started a couple of months ago while I was looking through Google Help for something interesting, when I stumbled upon a page describing how to manage your recovery contacts. . This was the first time I had heard about this feature, so I decided to see what it was about.

After looking at it, it didn't look too interesting. You have to enter the email of a Google account in order to send them a request to become your recovery contact. A recovery contact can help you log into your account if you're locked out for some reason. The requests you've sent will appear in a section like this

and can be canceled by clicking on the trash icon.

The interesting part was the web request being sent. After URL decoding the payload, it looked like this:

f.req=[[["yQAXOd","["116854005540224002194","verycoolemail123@gmail.com","Very Cool Name","verycoolreciever@gmail.com"]",null,"generic"]]]

One thing in particular stood out: 116854005540224002194

This is the Gaia ID of the account we're requesting as a recovery contact. A Gaia ID is the unique identifier assigned to every Google account. I wondered what would happen if I replaced the Gaia ID with someone else's, and sure enough, a request was sent and their email address was exposed in the "Requests you've sent" section.

But how is that useful? Well, there are some Google platforms that expose their users' Gaia IDs without exposing their emails.

Google Maps

If you've ever posted a review on Google Maps, then you have a contributor profile. This is what it should look like

It includes your reviews, photos, Google account name and your Gaia ID in the URL.

https://www.google.com/maps/contrib/105149523195748775344/

So using the vulnerable recovery contact request we can leak the email address of anyone who has a contributor profile. According to Google as of 2020 they have 120 million contributors. That number has only grown since then, but I couldn't find anything more recent so I'll leave it at that.

Google Drive

When a file is shared with you in Google Drive you can view its activity

The Activity tab shows a list of people who have modified the file in any way. That list includes events, account names and Gaia IDs.

So, once again, using the vulnerable recovery contact request, we can leak the email of anyone who has modified the file.

But how do we find publicly shared Google Drive files?

This is what a sample share URL looks like:

https://drive.google.com/file/d/1id_SKCLztw2JeFfXKHu_Xuq9Ynbgh_vy/view?usp=sharing

All of them include "usp=sharing". And as it turns out, they can be indexed by search engines, so using the following Google dork:

site:drive.google.com/ inurl:usp=sharing

we can get access to a bunch of shared Drive files. Just opening a link is enough for the file to be considered shared. Using the dork above, I was able to find all kinds of files. Here's some of them:

MIT paper: https://docs.google.com/document/d/1e9wx9oBg7CR0s5O7YnYHVmX7H7pnITfoDxNdrSGkp60/

Gordon Ramsay shit: https://docs.google.com/document/d/1g6e0PGV25c4Ay_ht0ZbuttHSCGIT25BAuVF--GRkGEM/

Bank information: https://docs.google.com/spreadsheets/d/1VS6idas8RoN38yzTWK_yRJrOU3k7-My3YKerNrhc0dg/

It's important to mention that the email addresses of the file owner and the last person who modified it are included in the details section, which makes this only useful for files with a long activity history.

Phishing

Going back to the request being sent, the Gaia ID is not the only interesting thing in it. When you request someone to be your recovery contact, they receive the following email:

After playing with the request some more, I noticed that the account email and name of the sender were being included in the final email, without any checks or sanitisation,

f.req=[[["yQAXOd","["116854005540224002194","{account email of sender}","{account name of sender}","reciever@gmail.com"]",null,"generic"]]]

which allowed for the crafting of some pretty convincing looking phishing emails.

The emails were being sent from the official Google domain and never went to spam, so the victim would always see them. Not only is their email being leaked, but they are also put at a risk of phishing.

In a normal attack scenario after the attacker sends a request they would cancel it immediately. The victim would receive an email and click on "Review Request", but won't find anything, since the request has been canceled. Then if they still want to know who sent them a request, they would have no choice, but to go to the phishing page.

Final result

I decided to make a PoC program that automates the proccess and this is what I got

(the title is a bit clickbait but who gafs)

Disclosure

I sent a report to Google VRP on 03/12/2025 and after a couple of hours it was closed.
Reasoning: "An attacker who is in a position to retrieve the URL tokens can also access the cookies or other credentials directly (e.g. via malware or shared computer use)"

I had to clarify that the url and cookies used in the PoC program are just to make the request for a recovery contact and do not belong to the victim.

15 days later my report was accepted.

Finnaly on 18/02/2026 (77 days after my initial report), Google categorised my report to fall under the Abuse Vulnerability Reward Program with medium impact and medium probability and awarded me $1337. This is understandable since Google is a small startup and likely does not have the capital to pay more.

I tried arguing that my report should be considered of higher impact and/or probability under the Abuse Vulnerability Reward Program, but I never recieved a response.