GoogleVoice Voicemail Flaw?
This isnt good.
"Holy crap. It seems that Google is going to have some pretty serious explaining to do this morning, as one of our readers has sent us in a tip that reveals a major security flaw involving Google Voice. After entering “site:https://www.google.com/voice/fm/* ” into Google, our reader was shocked and discouraged to be greeted by 31 voice mail messages belonging to random Google Voice accounts. Clicking on each revealed not only the audio file and transcript of the call, but it also listed the callers name and phone number as it would if you were checking your own Google Voice voice mail. We’re not too sure if this flaw is something new or if it has been around since Google Voice started, and could just be test messages, but needless to say the matter has to be fixed if it’s legit. Some censored screenshots are after the jump.
Random users Google Voice mail is searchable by anyone? : Boy Genius Report
Google Voice Mail searchable by ANY random user?
It was initially being reported that there is a MAJOR security issue with Google Voice Mail. Readers at BGR are stating that a trip to https://www.google.com/voice/fm/* in Google revealed over 30 voice mail messages belonging to various Google Voice accounts. Each revealed link showed the voice mail transcript, audio file, and even the caller's name and phone number.
However, after a little digging it seems these voice-mails were publicly posted online and have been indexed by the Google service. Here is the official word from Google:
"Since the initial idea behind posting a voicemail, was precisely to share it with others, we did not restrict crawling of those messages that users post on the web, but we can certainly understand that users would want to make them public on their sites but not necessarily searchable directly outside of their own website. We made a change to prevent those to be crawled so only the site owner can decide to index them.”
Remember, if you don't want it known, don't put it on a computer!
Last edited by sunkast; 10-19-2009 at 02:29 PM.
Originally Posted by TemperamentalMan
Yeah, I was reading the big deal that was being made over this and remembering that when my Grand Central account fully switched over to being Google Voice I was prompted to choose if I wanted my messages indexed or not. It's amazing how people will take a story and run it as a big security issue without checking 1st.
Originally Posted by OcaNyc
It isn't a flaw and BGR should have done it's homework before reporting it as such. They've now updated their site. The messages were indexed with the owners approval.
I see that now. Thought I noticed the dates on some of those from months ago.
Originally Posted by cj100570
Originally Posted by OcaNyc
Some other readers noticed it too. I posted over there how when my Grand central account became Google Voice there was an option to have my messages indexed or kept private. Being paranoid, I opted for private. Lol. I've noticed that the option is no longer there at all so I assume it's private by default now.
Tags for this Thread