After my ‘Week in OSINT #2019–49’ went live, I received questions about Google userID’s, how you can find them and what you can actually do with them. So I decided it was time to write a short article about it.

Update: On May 25, 2020 I posted part II with some more hints and tips.

The Deal with Google ID’s

Everybody who owns a Google account may not be aware of it, but Google uses a lot of different numbers, ID’s, signatures, account names, randomly chosen gobbledygook and meaningless strings to identify your account. Not everything can be tied together in an easy way, but there are a few handy shortcuts when you are looking at Gmail addresses or a YouTube account for instance. I am not able to do this in bulk yet, but I know there are people out there that might be able to make that happen.

First of all, from back in the days of Google+ every account that got connected to Google apps like Maps and Photos, have a unique ID. The ID used to be visible when you opened up a Google+ page from someone, or viewed their photo album.

Just a random photo album out there

But is it possible to find out from just a GMail address what photos someone posted online? Or what reviews they left behind? Or maybe even track the YouTube playlist they created? Yes, that is indeed possible.

But for that, we first need to find out what the userID is for a specific GMail address that you have. For that, I dove into the dump of Iron March and I filtered out all the mail addresses ending on @gmail.com and started to write.

Pulling in the Data — Quick and Dirty

Disclaimer: I’ll be touching this later on too, but I didn’t write any scripts for this! This is all manual labour and works easy for small amounts of mail addresses. If you are able to write a tool, please be my guest! More details can be found later in this article.

The easiest and fastest way to get your hands on a bunch of user id’s is by using Google Contacts. Just prepare a CSV file with the names and email addresses of your targets, and import them into your contact list.

Update December 4: There is another way of finding these userID’s, read on to find out.

A list of 624 GMail addresses, sitting in the contact list of a sock account

The next step is to open the developer tools, and reload the page, because we are going to try and find the ‘raw’ response of the servers that contains details of the contacts you added. The response can be spotted in a set of four requests to ‘contacts.google.com’ and contain the endpoint ‘batchexecute’.