I just saw a tweet for a Google Custom Search Engine (CSE) that searches for Google domains. The CSE allows people to enter a string such as “home” and then it will search Google domains that the creator of the CSE, Stefanie Proto (@sprp77), specified for that term. You get the results.
So I was playing with the CSE, https://cse.google.com/cse/publicurl?cx=006205189065513216365:uo99tr1fxjq, and I noticed that when I entered a term, it retrieved many photo album archives from Google’s users where the users had used that term for a file name or in the caption of a picture. Here is an example of results from searching for the term “corn”.
I know you are thinking, “Woo hoo Micah. Corn.” in your most sarcastic voice. Stay with me.
Notice in the pic above some of the domains that had our results were plus.google.com and some are get.google.com? Let’s click on one of those get.google.com and see the picture.
Yay! We see the images that some user has published to the internet. We have no idea if they are intentionally doing so, so I blurred the faces to help protect their privacy. In the real version you’ll see on Google’s servers, you see the images without the blurring.
I drew a yellow arrow in the upper left of the above image to point out the “back” button. You click that and you will get to see the user’s other public photo albums. I did it for you below.
We can see that there are a number of other photo album archives that this “taz” (see the name in the upper part of the image) has made public.
Google Profile Photos
If you have a Google account, they know a LOT about you. One thing that connects all your accounts is your profile picture. So, let’s go into taz’s profile picture album (yellow arrow in above photo) and see some of his photos.
Clicking that album shows only a single image. We click it to get down to the actual image. Now we see if Google knows more about this user by right-clicking on the image and selecting “Search Google for Image” (I’m using Google Chrome for this work…should have said that earlier.)
The results are shown on the Google search results page and…..fail. No other accounts show with this profile photo. You might have success though…as I did with other searches.
How Would a Criminal Use This?
OK, we have the technique:
- Use the CSE to search for something
- Look for the albums with a domain of “get.google.com” (not plus.google.com)
- Go into an album
- Hit the back arrow (upper left)
- Look for Profile photo
- Drill down into the profile photo and “Search Google for Image” for each
- Examine the results and see if there are any connections to users
So I started thinking evil-ly. What if criminals were using this? What if I entered a search term such as “new bike” into the CSE and then maybe I could find someone who just got a new bicycle (and the implication would be that the criminal might steal it). So I tried it.
I searched for “new bike”.
Clicked on the album for the first get.google.com address (yellow arrow) and saw a person with a new bike.
I clicked the upper left back arrow (yellow arrow below).
I found that person’s Google Profile Photos album and clicked it.
Found an image and performed a Search Google for Image. This brought up a page with a bunch of false positives and one true positive at the bottom. See below for a link to a blog on WordPress.com.
The above entry for the blog is in a foreign language. When I visited the page in Chrome, it offered (and I accepted) to translate the page for me (see red arrow in the upper right pointing to the translated icon). When it did, I clicked the “About me” link on the blog and now I have much more information about this person…a person who got a new bike. 🙂
I See Some Flaws
Of course you do. Those that have thought about my original premise of “people with albums of their new bike” probably have realized several problems that a true criminal might have:
- When was the picture taken? Just now or is that “new” bike pic from 3 years ago? To address this, could you make your own CSE and modify the results to only show results from the last week or month?
- Where does this person with a new bike actually live? In my case it was Bulgaria which is a little bit outside of my travel zone for doing anything to his bike. Perhaps there are other changes that could be made to the CSE to account for this as well?
There are other issues too such as “What if my target has no Google account?” or “What if there are no results for the reverse image search of their profile pic?” Those could happen for you.
Filling Your Tool Box
This blog post introduces a technique that you can put in your OSINT tool box. Just like real tool boxes that have screwdrivers, pliers, and hammers in them, you collect tools and then use them when you have the appropriate job that needs doing (screwing in screws, tightening a bolt, or hammering a nail, respectively).
Take this technique, place it in your OSINT tool box and use it for good.
If you are interested in making your own Google Custom Search Engine (CSE), visit https://cse.google.com/cse/.