Open source tool hunts for active Google IDs, YouTube channels, and other Google-owned services

A new open source tool allows security teams to explore data created by Google accounts.

GHunt lets individuals, or security experts, analyze a target’s Google “footprint” based just on an email.

The open source intelligence, or OSINT, tool can extract the account owner’s name and Google ID, YouTube channel, and active Google services, including Photos and Maps.

GHunt can also reveal public photos, phone model, make, firmware and installed software, and potentially, the user’s physical location.

Hunting high and low

The tool was developed by Thomas Hertzog, otherwise known as “mxrch”, who is hoping to start a career as a penetration tester.

“GHunt is for people curious about the public information generated by their Google activity and what an attacker might extract from it, or people using OSINT in their work, such as in threat hunting,” Hertzog told The Daily Swig.

The researcher says he developed the tool based on work carried out by OSINT specialist Sector035.


RECOMMENDED Latest web hacking tools – Q3 2020


Hertzog pointed out that other developers are now adding to the tool with Docker and Windows subsystem for Linux (WSL) support.

Although the tool works through free Gmail addresses, Hertzog believes this can still cause issues for businesses, including G Suite (now Google Workspace) users, where employees have used a free address to register for services.

“GHunt can be used by white hat and pen testers to test if emails found during a pen test are sensible and can leak other information, but can also be used in threat hunting to identify and track down threats,” he said.

“I see a lot of people using their personal Gmail address on their LinkedIn. People should separate their personal accounts from their professional accounts.


Read more of the latest open source software security news


“When you register your Google account, you don’t have a popup saying, ‘Everyone will be able to access to your Google Maps reviews by default and your Picasa archived photos’.

“But I think it is also a lack of education about the dangerousness of leaving such information in public. Most people have no idea that their 50 Google Maps reviews allow us to identify their probable location with a very basic algorithm.”

The GHunt algorithm also has close to a 100% success rate in identifying linked YouTube channels, Hertzog said.


Data control

GHunt is one of a growing number of tools that use open source information to compile data about online users’ identities and activities. Often, the target subjects are unaware of just how much data are available.

This is a growing problem, security experts suggest, with “free” online services.

“I don’t think individuals are generally sufficiently aware of what information they are giving up by using services or the traces they are leaving behind as they use devices,” Carl Wearn, head of e-crime at Mimecast told The Daily Swig.

“Despite expectations of privacy and varying degrees of security, it will be a constant battle to stay ahead of what are essentially flaws or vulnerabilities in a system which others can exploit to gather information.

“I note some of the information the tool seeks to gather is exploiting default settings and these could easily be changed by the provider rendering it relatively ineffective for its intended purpose”.

Phishing pathways

“This tool demonstrates the amount and type of information which can be gained from a Google account email address through public interrogation of Google,” said Stuart Morgan, security consultant at F-Secure.

“Individuals and businesses [can use it] to help them understand the extent to which their information is publicly available, and to make any configuration changes or adjustments that they deem necessary as a result of it.”

As an OSINT tool, GHunt could be used for both threat intelligence gathering, and for attack simulation, he suggests.

“The information from tools such as this could be instrumental in a much longer and more complex attack path, such as social engineering which relies on rapidly building a credible relationship.”

Hertzog plans to continue to further develop the tool, including gathering more information on phone models used with Google accounts, and to probe deeper into Google services, including Maps and Picasa.


READ MORE Researchers map threat actors’ use of open source offensive security tools