NOTE: This blog post does what it talks about. Or at least it did before Google blocked the site's API access. It's the "This website uses cookies to ensure you get the best experience on our website. Learn more" button that does the clickjacking. https://blog.innerht.ml/google-yolo/ Google's reply to a VRP submission: That's why we don't trust login widgets, right? But Google did block the site's API access, so there's no email address shown. See https://twitter.com/LiveOverflow/status/994560352149999616 for an example when it worked.