Update: On May 25, 2020 I posted part II with some more hints and tips.
Everybody who owns a Google account may not be aware of it, but Google uses a lot of different numbers, ID’s, signatures, account names, randomly chosen gobbledygook and meaningless strings to identify your account. Not everything can be tied together in an easy way, but there are a few handy shortcuts when you are looking at Gmail addresses or a YouTube account for instance. I am not able to do this in bulk yet, but I know there are people out there that might be able to make that happen.
First of all, from back in the days of Google+ every account that got connected to Google apps like Maps and Photos, have a unique ID. The ID used to be visible when you opened up a Google+ page from someone, or viewed their photo album.
But is it possible to find out from just a GMail address what photos someone posted online? Or what reviews they left behind? Or maybe even track the YouTube playlist they created? Yes, that is indeed possible.
But for that, we first need to find out what the userID is for a specific GMail address that you have. For that, I dove into the dump of Iron March and I filtered out all the mail addresses ending on @gmail.com and started to write.
Disclaimer: I’ll be touching this later on too, but I didn’t write any scripts for this! This is all manual labour and works easy for small amounts of mail addresses. If you are able to write a tool, please be my guest! More details can be found later in this article.
The easiest and fastest way to get your hands on a bunch of user id’s is by using Google Contacts. Just prepare a CSV file with the names and email addresses of your targets, and import them into your contact list.
Update December 4: There is another way of finding these userID’s, read on to find out.
The next step is to open the developer tools, and reload the page, because we are going to try and find the ‘raw’ response of the servers that contains details of the contacts you added. The response can be spotted in a set of four requests to ‘contacts.google.com’ and contain the endpoint ‘batchexecute’.
We can’t really work with this, especially with a list of 624 contacts! So we are going to pull this in and save it to a text file. Simply right click on the command, choose ‘Copy as cURL’ and open a linux prompt (I actually use Ubuntu under Windows on my laptop for that).
Paste the command in the command line and we direct the output to a text file. Not all the parameters and cookies are needed so we could truncate the whole cURL command, but for the sake of making this write-up a little bit easy to follow, I’ll stick with this for now. After importing the 624 GMail addresses, and dumping them to a text file, I had a look and found I had a total amount of 130 unique Google userID’s! That’s roughly 20% of all the users, which isn’t really that great, but for a quick solution this is a great starting point!
The userID’s can be found by looking for 21 character long decimal numbers, and they all seem to be starting with ’10’ or with ’11’.
After I posted this, I received a tip from Marc Magnin on Twitter. He found out that the userID’s can be found inside the source code of the page too, as could be expected. For that you go to your contacts and open the contact you are interested in. With help of the developer tools you open the ‘Inspector’ tab (Firefox) or ‘Elements’ tab (Chrome) and you search within the source code for the element: data-sourceid. There will be one or two found, and in case there are two, the second one will have the userID shown.
I found that the HTML code in front of it keeps the same for the contacts in my own contact list, so it is possible to search for the whole line of code and use the following query in a tool like data-miner, to quickly get a list of userID’s. So that would mean you create a recipe that looks specifically looks for the following piece of HTML code:
<div class="NVFbjd LAORIe "data-sourceid="
And another way of finding a userID is possible when you have the YouTube page of a target. All that is needed to find the userID is to look inside the source code and look for the link pointing towards ‘plus.google.com’. The number right after it is the userID you are looking for.
Thank you Jean Marc Manach for reminding me to add this, since I forgot to add this little nugget.
Again: Not all the contacts were accompanied by a Google userID in this way, even though every account actually has one. The only trustworthy way to retrieve the rest is to use a Google API. But since it will be way outside the scope of this article, and I currently don’t have enough time to dive into scripting this up, I welcome other people work on a nifty solution for that. But let’s have a look at the API itself to see what you can do with it.
If the userID isn’s visible in the dump of your contacts, but you are really keen on investigating that particular mail address, there is another way to retrieve userID. For that we look at the Google People API, which gives you the option to retrieve all kinds of information from your contacts. Things like addresses, names, phone numbers and whatever personal information you have entered for a person. The field we are interested in is the ‘metadata’ option, since the response contains the unique userID that we need.
As a ‘resource’ name, we need to have yet another internal userID that I’ll name contactID. And this one can be found in the text file we created earlier, or by simply opening a contact card of the desired target and look at the requests that are sent towards the server. One of the requests will have such a contactID in the request data. It is easily recognised since it starts with a ‘c’ and contains about 19 or so numbers.
With this information at hand we enter the Google API. To read up on this API, you can simply visit the documentation here: https://developers.google.com/people/api/rest/v1/people/get
Don’t expect this to work right out of the box, you first have to create a project, grant your project rights to use certain API’s and so on. But if you are a developer (I’m clearly not!) or you are technical enough, I do suggest you create a project and have a look at the plethora of API’s that are available in the world of Google.
After you retrieved the userID, there are at least three things you are able to do right away: Find possible photo albums, find reviews or locations and the last one: Find the YouTube account that is connected to the account. So time to have a look at these options.
This was mentioned in the Week in OSINT episode of week 49, but to remind you: To find a photo album of any given user, we simply need to fill in the userID in the following URL:
Don’t expect that everybody has photo album, but you will be surprised how many actually have content that could even be used to pivot from! Especially with the breach data that I used as an example in this article.
And the best of all is that once in a while there is not only a photo posted in an album, but it is even tied to an exact location on Google Maps! Here is a photo that was pulled from a photo album via this trick:
And when I looked at the Google Maps data for this particular user, we actually find that the photo was posted with specific coordinates, about 3.5 years ago:
Google Maps and Google Reviews can both be accessed via GMaps, and each user can be investigated by simply requesting the correct URL, and that is:
When this URL is opened, by default is shows the photos that are uploaded with location information, but the users reviews can be accessed via the option on the left. One of the amazing things is that even with only a GMail address, no photo album and no reviews, you are still able to find out someones real name, unless they are really smart and use an alias of course.
Something not a lot of people know is that in a lot of cases it is possible to find the YouTube channel of a Google user, when you only have a GMail address at hand. It is possible to create multiple channels or profiles, but every Google user has a standard account on YouTube that can be retrieved via:
The result is the RSS of that users uploads. This can be empty, this can be pages and pages long, but it will give something in return. But this does not work with the userID we found, for this the only thing you need is the account name, or in most cases (disclaimer coming up!) the part in front of ‘gmail.com’.
It does not mean that this is foolproof! So far I have not seen any discrepancies, but I do fear that they are there! I can image that someone claimed an account name, but someone else is in possession of the mail address with that name. So please verify and double verify all this, before jumping to conclusions. Now on to the fun part!
Note: Since I have tried to redact as much as possible in this article, I chose to pick a different and random user for the next part. You can get the breach data yourself and go over the dozens and dozens of YouTube accounts that are out there.
So let’s pick someone called ‘test’, who might have the mail address [email protected] (this is just an example of course) and the YouTube channel that belongs to that account is:
Me being curious, I ran a little script that checked whether a YouTube page was existing for each of the user names that were in the list of GMail accounts. Within the list of 624 addresses there are 45 matches to YouTube pages with the same account name. That’s at least a nice start to dive deeper into any kind of investigation you are doing.
_Update December 6, 2019
_There are different identifiers when it comes to a YouTube account. First of all we have the URL with the long identifier:
Then there is the name of the ‘owner’ of the account, in this example that is ‘tipsbmx’. This is the ‘display name’ that a user can chose to be shown on the YouTube channel itself:
To find the actual YouTube user account behind it, we look inside the source code of the page. This can be found by searching for the parameter ‘ownerProfileUrl’ or ‘vanityChannelUrl’:
Within the source code there is also the userID, as stated before. To find that, simply search for ‘plus.google.com’, like this:
This eventually ties together four pieces of information:
To find the YouTube channel ID while only having the YouTube account name, fill in the following URL:
The first option to retrieve the Google userID needs you to be logged in. If you don’t want this, or for some reason you don’t have the option to do so, please scroll down and read the second option to find the owner information.
And yes, also within Google Drive there is an option to find some information about the owner. When we take a look at the Norton support scam (read about that here) that I investigated with MwOsint earlier this year, we find a link to a Google Drive that is hosting the installation software:
When we open the Drive, we see the name, email address and content. But there’s nothing more at first sight.
But inside the source code, there is the option to find the userID of the user that created the map, or in other words: Who is the owner. For that, we need to look for the 21 character string that starts with 10 or 11. To make searching easier, make sure you add the hexadecimal code for double quotes in front of it, which is \x22. So search for one of the following two:
There will be a few results, where the longer numbers are the userID of the owner of the Google Drive:
After that, we can use this userID to open up Google Photos, or in this case, the reviews and photos within Google Maps. And we find that the person we have been looking at back then, has used their fake account to leave an actual review for a restaurant in the area:
If you want to stay anonymous, or you can’t be logged in into Google Drive for some reason, there is another way of retrieving the information. Thanks to djnemec who found this little gem! The first step will be to open the developer tools and highlight the network tab. The second step is to filter the responses by setting it to permissions, so we can focus on what really matters. Then you open the Google Drive link you want to investigate and highlight one of the files you are interested in and there you go! One single HTTP request will be filtered out that contains the following information:
Google ties loads of ID’s together in the back-end, but not everything is as visible as we would hope. But still there is a lot we an do, be it manually or with the help of some tooling. I’m not really a developer, but I do love to dive into code and find out how things work, so I can use the information for my own advantage.
And when you have a data set that contain hundreds of mail addresses one can use to write a little blog for the OSINT community, it is always fun to find a (possibly) Dutch person in that set of data:
Why Dutch? Well, that’s a whole different riddle…
Have a good week and have a good search!