Google Voice Mails Found In Public Search Engine

bonch writes "Google Voice Mails have been discovered in Google's search engine, providing audio files, names, and phone number as if you were logged in and checking your own voice mail. Some appear to be test messages, while others are clearly not. Google has since disabled indexing of voice mails outside your own website."

The Real Problem is ...

[itzfritz]

The real problem, IMO, is that Google Voice voicemails are world-readable to begin with. The only security is the URL scheme. If that can be reverse engineered, the privacy of all google voice users will be in danger. (fyi I have tested this myself. The url scheme is "https://www.google.com/voice/fm/20-digit account id/long b64 encoded binary string", and these urls can be viewed by unauthenticated users. Note the use of https; while no man in the middle will read my voicemail, the man on one end can ;)

data posted on the internet found on the internet!

[Kenja]

Dont want data to be found online? Dont put it out there for people to find.

Total non-issue.

Re:User action?

[geekboy642]

You speak facetiously, of course, but spending the time and effort to setup your own email server is a very valuable exercise. And at the end, you get an email account with no limits. Want ridiculously tight spam filters? Easy. Want to send and receive 1GB email attachments? Your insanity can be catered to.

And best of all, nobody is sitting there watching all of your emails and serving you ads based on what you're emailing about.

Re:User action?

[DragonWriter]

It sounds like something that wouldn't happen if you used commodity PC hardware to set up your own voice mail system.

Yes, if you used commodity PC hardware to set up your own voice mail system, you probably wouldn't have automatic transcription that it would be even theoretically possible for you to directly post your voice mails on the web, so it wouldn't be possible for you to expose information the way you could choose to do with Google Voice.

OTOH, it would be a lot more expensive for the fewer features you would get, so I'm not sure its all that worth it. It would be easier just to use Google voice and not post your own voice mails.

Note that all of these emails are emails for which the URLs were posted by the user on a public website, and which were subsequently (and as a result of that posting) crawled and indexed by search engines.

Oh, noes! Search engines find things that are posted publicly on the internet. The horror!

Re:User action?

[antifoidulus]

Actually it was 86.4 milliseconds, but when you are only expecting .0001% uptime, you cannot expect your service provider to be able to do arithmetic :P

BGR isn't the "exclusive" first story

[Anonymous Coward]

BGR stole it from 4chan's /g/ (technology) board last night. See Google's index [google.com] for proof. We were discussing it at 2AM, someone tipped off google, and BGR saw it on 4chan & reported on it. They misrepresent themselves as the story source, though.

Re:The Real Problem is ...

[Omnifarious]

And, you know, if I 'reverse engineer' the right bunch of binary digits I can read all the credit card information in your https transactions. That bunch of binary digits being your AES key.

If Google was in the least intelligent, that string would either be a random number or a hash (basically a random number if you don't know the exact data that went into it) of the voicemail contents plus the user and some other stuff. Personally, I expect they are in the least intelligent and that the URL is about as 'reverse engineerable' as the AES key your browser used to talk to the place you bought your latest motherboard from.