Hangout Sniping
Basic Description
"Sniping" is the colloquial term which the community gave to an exploit ("feature") in Google Hangouts which allows anyone to remove another account from an external hangout chat group, without any kind of permissions check. If the removed user is in the hangout associated with that chat group, they will be ejected from that hangout within seconds of being "sniped" and will be prevented from re-joining. Nearly all hangouts have external chat groups and are therefore vulnerable to sniping by anyone who has access to the hangout link. The sole exception is corporate hangouts, which have no external chat and therefore are immune to being sniped.
This could hardly be considered an "exploit" since it requires no hacking, technical knowledge, or packet voodoo of any kind to abuse. It seems to be the case that the Hangouts dev team at Google considers the ability to snipe hangouts to be an intentional feature, which they have no interest in fixing. If there's any better proof that Google doesn't give a flying fuck about Hangouts, I can't think of any.
This "feature" was first made available by an update to the Google Hangouts front-end interface on July 14th, 2016. The first person to discover (and abuse) the exploit was Josiah "BroJoSavedByGrace" McClain, who used it to vandalize one of Steve McRae's live hangouts that evening. Upon becoming aware of it, GDC member Kevin Buchik researched the exploit (becoming quite shocked at how simple it was, and how someone at Google actually thought allowing people to remove anyone from any hangout was a good idea), and proceeded to write a detailed bug report for people to submit.
Google's security team responded within days, acknowledged that it was a problem and promised to pass it on to the Hangouts development team. After hearing nothing for over a month, the response came back that the Hangouts dev team allegedly implemented this "feature" on purpose, and had no intention of fixing it.
Since pretty much everyone knows how sniping works at this point, Kevin's vulnerability disclosure writeup on it can be read here. Feel free to follow the instructions and submit it to Google again if you want, but it's highly unlikely that it will do any good.
Short of porn bombing and filing a false DMCA claim, sniping a hangout without permission is generally considered to be one of the most antisocial things one can do in this community, and will get you immediately called out and blocked by numerous people. Though things didn't end up being quite as bad as people first thought, sniping continues to be a problem whenever one of the less savory elements of the community decides to vandalize someone's hangout.
Known Hangout Snipers
- Josiah/BroJoSavedByGrace
- Darwins Deity
- Rob Beasley
- G Man Removed people from his own hangouts and accused them of sniping. He's also a doxer.
- Brenda Von Ahsen (evidence)
- Outbound Unstoppable/Unblockable
- The Immortal Great Heathen Army I (pornbomber)
- Down Corner
- Timmy Osman
- Anthony Riley (Sleeping Warrior)
- 1stop4gamers (A.K.A 1stop4 gamerslive, A.K.A you been exposed)
- John May/Bulldog
- Jordie Weeds (only dumbass flat earthers though)
- p mars (sniper and pornbomber)
- Lookapig (also known for doxxing and phishing/sending malicious links)
Karma Snipes a Sniper
Darth Dawkins who is a serial sniper gets "karma" while trying to debate in Brett Keane Hangout. Darth gets repeatedly sniped and has to keep rejoining on a new account only to to be sniped again. *note GDC does not condone sniping snipers
