On CHOW: Vegetarian Thanksgiving dishes

BNET Business Network:: BNET; TechRepublic; ZDNet

Zero Day

Ryan Naraine and Dancho Danchev

Get Zero Day via:: Mobile; RSS; Email Alerts
Bios:: Ryan’s Bio; Dancho’s Bio

October 20th, 2009

Google Voice mails exposed for all to see and hear

Posted by Ryan Naraine @ 7:52 am

Categories: Browsers, Google, Hackers, Locally Running Web Servers, Passwords, Phishing, Responsible disclosure

Tags: Google Inc., Telecom & Utilities, Ryan Naraine

A simple search query has exposed Google Voice mail messages (audio and transcript) for anyone to see and hear.

As first reported here, a user entering “site:https://www.google.com/voice/fm/*” into the Google search bar discovered random voice mail messages belonging to random Google Voice accounts (see screenshot below).

Clicking on each revealed not only the audio file and transcript of the call, but it also listed the callers name and phone number as it would if you were checking your own Google Voice voice mail.

I was able to replicate the issue and listen to several voice mail messages, including some legitimate ones with potentially sensitive information.

(Click image for full size)

Here is Google’s official response to this disclosure:

Since the initial idea behind posting a voicemail, was precisely to share it with others, we did not restrict crawling of those messages that users post on the web, but we can certainly understand that users would want to make them public on their sites but not necessarily searchable directly outside of their own website. We made a change to prevent those to be crawled so only the site owner can decide to index them.

At the time of writing this blog post, the search query was no longer displaying any results.

UPDATE: Here’s a new blog post from the Google Voice team explaining the situation.

Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.

Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

Talkback
Most Recent of 57 Talkback(s)

Thread View
Flat View

They still exist!!: Name who they "back stabbed". IBM?
When a small company, a fraction of the size of IBM, APPLE and SUN can stand up, on their own, and gain 90% of the worlds PC marketshare in 4 years, that's bril... (Read the rest); Posted by: xuniL_z Posted on: 10/22/09 You are currently: a Guest | Log in | Terms of Use

If you believe the "explanation" GuidingLight | 10/20/09

I agree xuniL_z | 10/20/09

Loosen up jongunn@... | 10/20/09

However, Microsoft never gets such a generous a pass! windozefreak | 10/20/09

They would... jasonp@... | 10/22/09

Are you so ignorant... Marty R. Milette | 10/21/09

Ya... just like you "Google" or "Open-Source" fans... kaninelupus | 10/21/09

Loosen up, but get it right.. ChiefAnthony | 10/21/09

You mean the private voice mails... jasonp@... | 10/22/09

RE: Google Voice mails exposed for all to see and hear Loverock Davidson | 10/20/09

Another fine shill job! ThePrairiePrankster | 10/20/09

It was only people who made it public... Metronome49 | 10/21/09

You mean just like your gods get it right 1st time every time? NetArch. | 10/22/09

so irresponsible p.vinnie@... | 10/20/09

Google spyware at its best jorjitop | 10/20/09

Anyone Here, Besides Me, Use Google Voice? EntrepreNerd | 10/20/09

Finally a rational comment! jsnyder1954 | 10/20/09

RE: Google Voice mails exposed for all to see and hear ursha25@... | 10/20/09

Non-story aaronharder | 10/20/09

FUD may be spreading via fanbois'es--no? windozefreak | 10/20/09

RE: Google Voice mails exposed for all to see and hear lawryll@... | 10/20/09

RE: Google Voice mails exposed for all to see and hear beckhart | 10/20/09

If I make something public... pllamonica@... | 10/20/09

Well, Google has not stopped indexing the voicemails Ryan Naraine

| 10/20/09

RE: Google Voice mails exposed for all to see and hear Jay E Court | 10/20/09

Anti-MS Troll... TechBoyZ | 10/20/09

And,... windozefreak | 10/20/09

Probably a government-mandated feature... TranMan | 10/20/09

Ryan, it would have been seemly if you had mentioned mhenriday | 10/20/09

Sensationalism Steven Rogers | 10/20/09

You cant google it - but you can still BING! It. aktazdevil | 10/20/09

Yes, still on Bing beckhart | 10/20/09

Voicemail person tracked down beckhart | 10/20/09

Typical M$ Viral Marketing and Anti-competitive Tactic! grin

grin

i2fun@... | 10/20/09

Uh? MS? Ceridan | 10/20/09

FUD? haha... Some of you believe M$ Anti-Trust Lawsuit didn't exist! wink

wink

i2fun@... | 10/20/09

They still exist!! xuniL_z | 10/22/09

RE: Google Voice mails exposed for all to see and hear abc6587 | 10/20/09

Yahoo works too! Z1000 | 10/20/09

RE: Google Voice mails exposed for all to see and hear strauba_z | 10/20/09

When will we face the facts about online security? misato | 10/20/09

Are we all still feeling peachy about the Cloud, then? IslandBoy_77 | 10/20/09

RE: Google Voice mails exposed for all to see and hear boz_hobbs@... | 10/20/09

RE: Google Voice mails exposed for all to see and hear gergyllaer | 10/20/09

Voicemail Person Tracked Down beckhart | 10/20/09

ZDNet being irresponsible? Narg | 10/20/09

All this hype has no merit whatsoever, google did nothing wrong abc6587 | 10/20/09

Hmm.. one of the calls was a health insurance call. aktazdevil | 10/20/09

Who would do that? beckhart | 10/20/09

It's no different then if I posted my Health Insurance info on my blog... Metronome49 | 10/21/09

Ok, here you go... jasonp@... | 10/22/09

Idiot blogger exposed for all to see! compudog | 10/20/09

RE: Google Voice mails exposed for all to see and hear TamPogo | 10/20/09

Too many idiots posting... Metronome49 | 10/21/09

moved ChiefAnthony | 10/21/09

RE: Google Voice mails exposed for all to see and hear jon@... | 10/21/09

What exactly is the "issue"? jasonp@... | 10/22/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

VMware Infrastructure: A Guide to Bottom-Line Benefits VMware Frustrated by the costs of maintain ever larger data centers?or building ... Download Now
Virtualization: Architectural Considerations And Other Evaluation Criteria VMware Of the many approaches to x86 systems virtualization available in the ... Download Now
The Impact of Virtualization Software on Operating Environments VMware Today's use of virtualization technology allows IT professionals to ... Download Now

Recent Entries

Blogs From Our Sponsors

Top Rated

Thousands of web sites compromised, redirect to scareware+43 votes
Microsoft confirms 'detailed' Windows 7 exploit+43 votes
Firefox hit by multiple drive-by download flaws+41 votes
Which antivirus is best at removing malware?+41 votes
iHacked: jailbroken iPhones compromised, $5 ransom demanded+32 votes
Mac OS X mega patch covers 58 security vulnerabilities+26 votes
Phishing experiment sneaks through all anti-spam filters+25 votes
Microsoft patches Windows worm holes, drive-by download flaws+20 votes

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

Archives

Favorite Links

41

ZDNet Blogs

White Papers, Webcasts, and Downloads

Three Steps You Need to Know to Stop Data Loss Varonis Sensitive data exposed to misuse or loss... it is the stuff of nightmares ... Download Now
The True Costs of Virtual Server Solutions VMware In an economic environment that is repeatedly heralding the message "do ... Download Now
The Impact of Virtualization Software on Operating Environments VMware Today's use of virtualization technology allows IT professionals to ... Download Now

Popular Sanity Saver Videos

Blogs

Product Reviews

Videos

White Papers and Webcasts

Downloads

More