Random users Google Voice mail is searchable by anyone?
Holy crap. It seems that Google is going to have some pretty serious explaining to do this morning, as one of our readers has sent us in a tip that reveals a major security flaw involving Google Voice. After entering “site:https://www.google.com/voice/fm/* ” into Google, our reader was shocked and discouraged to be greeted by 31 voice mail messages belonging to random Google Voice accounts. Clicking on each revealed not only the audio file and transcript of the call, but it also listed the callers name and phone number as it would if you were checking your own Google Voice voice mail. We’re not too sure if this flaw is something new or if it has been around since Google Voice started, and could just be test messages, but needless to say the matter has to be fixed if it’s legit. Some censored screenshots are after the jump.
Thanks, Brian!
UPDATE: It seems as if these voicemails have been publicly posted/shared online and Google indexes them. Here’s official word:
“Since the initial idea behind posting a voicemail, was precisely to share it with others, we did not restrict crawling of those messages that users post on the web, but we can certainly understand that users would want to make them public on their sites but not necessarily searchable directly outside of their own website. We made a change to prevent those to be crawled so only the site owner can decide to index them.”
If you put it online, expect a) search engines to index it, and b) bored people to search for weird things and go poking around in them. Common sense, people!
When you do updates in a story, could you apply the time/date of the update?
I’m curious as to how many people still posted BS AFTER the update.
Reading. It’s fundamental.
But hey, good going BGR! Let a single reader show you something questionable and you should just post it right away rather than ask all parties involve and get the facts first. Thats that new age journalism: Lie first, then clarify later.
Another serious Google Voice flaw exposed! Not only what BGR reports but Google voice SMS service has a serious flaw on old GrandCentral accounts. Some of the text Messages are rerouted and sent to a third party who can actually reply as if the GV user sent it!! As you can imagine this causes havoc on business users of Google Voice requiring number changes. Also, the SMS exposes the intended persons phone number to the third party as well! Google is aware of this but has been quiet– maybe looking for a fix.
That is a rather large hiccup on Google’s behalf. Someone is always bound to find it. I think they already cleaned up the search results.
http://googlevoiceblog.blogspot.com/2009/10/about-voicemail-and-privacy.html
google’s announcement about the issue
Google’s response doesn’t address the fact that SMS text message are somehow being sent to a third party without the GV user ever receiving the text,therby exposing the senders real cell phone number and message to someone they don’t even know. Again, Google knows of this problem– there are numerous reports of not properly receiving text messages. This security flaw can allow a malicious user to acccess a person Google Voice accounts with a little guesswork without using the url method.
Financial institutions do a better job at securing your data. The guys at Google that did this clearly didn’t know what they were doing.
Internet users should do a better job at understanding how the Internet works. The guys at Google clearly know what they are doing and the Internet is clearly in need of some basic tutorials for those who originally used AOL because they thought it WAS the Internet.
Thanks for the info, I really enjoyed reading your posts, there is some great info here.