After seing reports on Twitter that "everyone" now was on Google+, and not having received an invite e-mail myself, I had an intense feeling of being left out. So yesterday, I started tinkering.
There's been several ways into Google+, just after the launch the reports were that a Google+ user could share something with you, and you were offered to join Google+ to see the shared content. Along came also the possibility for Google+ users to invite people directly (which led to people selling their invites). To get in line for Google+, you could also sign up at the Google+ website. I had signed up, and turns out I had also been invited by two friends (I was in their circles already), but without receiving a notice from Google. I was curious to find out what was behind the signup screen shown below, so I had to do something!
I figured I'd use Google to find a way in. After all, Google tends to find all the stuff you don't want it to index such as PGP private keys or your customer password database. After five minutes of tinkering with URL's and poking around with various searches on Google, I found a link that let me instantly register for Google+!
Here's a link to the search on Google. I basically needed to figure out the signup url, and then find a valid Google+ invite key. Interestingly, the search results have changed over night, here's today's result:
There's even a hint in today's search result: gpinv=myinvitekeyithink! But unfortunately, none of today's links seem to get the job done. But here's the result from clicking on yesterday's link:
I'll just have to thank Nguyen for inviting me. I have no idea who this is. And I have no idea why a direct invite link on his behalf was searchable in Google. Anyhow, I clicked Join to confirm that I was finally accepted into Google+. Success!
So! What to do now? We should probably try a hangout!
Some final considerations
"Borrowing" the invite from Nguyen was in the grey area, but it was the only way to confirm that a simple Google search would provide me with a shortcut into Google+. Despite him being mentioned on the screen where I joined, I'm not connected to him on Google+ in any way. He's not in any of my circles, I'm not in his. If that was the case I would have reported it to the Google security team immediately.
Other Google+ users also claim to have bypassed the queue, I believe they've used other techniques than the find-a-link-on-Google approach (not sure what they've done).
I have also notified Google about the issue. And now you!
If you stumble upon a security issue in a Google website you should take a moment to read their Google security and product safety webpage and report the issue.
© André N. Klingsheim and www.dotnetnoob.com, 2009-2015. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.
Read other popular posts
I guess it was long overdue for me to follow up on my Hardening Windows Server 2003 SSL/TLS configuration and Windows server 2003 vs 20...
Yesterday I was playing around with the validateIntegratedModeConfiguration="true" setting on IIS 7.5. To my surprise I got an ...
I just found out that Terminal services manager does not exist in Windows 7. But fear not, the Remote Desktop Services Manager will do the ...
Security headers in an HTTP response There are many things to consider when securing a web application but a definite "quick win&qu...
The release of Firesheep a week ago brought a lot of attention to a problem that has been known for many, many years: cookies sent over both...
If you work in an environment where several people fiddle around on the same servers, every once in a while you'll get the message "...
I just ran into a weird problem while creating a bootable USB-stick, it was impossible to do a full copy of the files from an .iso. I tried...
OWASP recently released their Top Ten 2013 list of web application vulnerabilities. If you compare the list to the 2010 version you’ll see t...
Though Windows Server 2003 has been around for a while, we'll still see them around the Internet for many years to come. Despite their u...
Visual Studio Online looks pretty cool so I’ve decided that I'll use it for the next NWebsec release. The project setup was relatively...