Gmail Reveals the Names of All Users

ihatespam writes "Have you ever wanted to know the name of admin@gmail.com? Now you can. Through a bug in Google calendars the names of all registered Gmail accounts are now readily available. All you need to find out the names of any gmail address is a Google calendar account yourself. Depending on your view this ranges from a harmless "feature" to a rather serious privacy violation. According to some reports, spammers are already exploiting this "feature"/bug to send personalized spam messages."

Is it really that big of a deal?

[i'm lost (1247580)]

If I was worried about privacy with my gmail account, google wouldn't have my actual name to have the ability to give it out.

Re:Is it really that big of a deal?

[Motherfucking Shit (636021)]

If I was worried about privacy with my gmail account, google wouldn't have my actual name to have the ability to give it out.

That's all well and good until you decide to start using actual Google services (Checkout, AdSense, AdWords, and the like). It's possible to do these things with a non-GMail email address, but you have to create a Google account anyway, so I'd venture to say most folks use their GMail address if they already have one.

D'Oh

[Atari400 (1174925)]

chunkylover53 is going to be most displeased.

Re:D'Oh

[ChowRiit (939581)]

Fortunately for Homer Simpson, that's @aol.com

Re:D'Oh

[rice_web (604109)]

Surely that's the first time it's been fortunate to be on AOL.

I can't believe Google would do this!

[by Anonymous Coward]

Really, now everyone will know my name is John Smith? I am outraged and will see my lawyer immediately!

-- john.smith@gmail.com

Is This Evil?

[abirdman (557790)]

But, does this constitute evil? So far so good. My gmail account is my real name anyway. I'll be looking out for the evil...

Re:Is This Evil?

[Admodieus (918728)]

If this story was about a similar bug with Hotmail and Windows Live Calendar, yes it would.

Re:Is This Evil?

[dhavleak (912889)]

Sure, it's an unfortunate bug. Yes, the spam has potential to annoy--but it's spam; would you even notice a few more in the spam box?

It's more serious than that. Once the spammers know your name they can construct more personalized messages which has two implications:
- Increased chance of success in a social engineering attack.
- Better chance of fooling a spam filter.

If you're the kind of person who emails others without disclosing your real name, why would you give your real name to the email provider?

Spammers don't wait for you to email them. They buy lists of email addresses in bulk. For this particular vulnerability, they can even use a random generator and just keep track of the hits when adding appointments to the calendar.

Unless I'm a spambot, I'm not going to sit down and type out random strings of words and numbers to find out the name data on some arbitrary addresses. Whether it's Hotmail or Yahoo or Gmail doesn't matter here.

Assume you are a spambot then -- that's what TFA is about -- a security vulnerability in Gmail that spammers can take advantage of. Spammers are usually interested in creating spambots.

I don't know where OP's question about "evilness" comes in. Google deserves the benefit of doubt (about this being an honest mistake) as long as they fix it, rather than issuing some BS reason not to.

Head in the clouds

[gamanimatron (1327245)]

This is exactly why I remain leery of applications in the cloud. I've got a google account for work, and that's the only use it ever sees. And it's under real.name.company anyway, and has no other useful information associated with it.

I try really, really hard not to leave to broad a trail online. Those databases just never die (except when they do, of course - but the timing is subject to Murphy's Law, so it's never in my favor).

I'm gonna go hide in my cave now.

Just how personal is this new spam

[Pollardito (781263)]

Does this mean they're only sending spam to people who really need Cialis?

Re:Just how personal is this new spam

[LoonyMike (917095)]

Not yet but soon, just wait for the medical data to be compromised in a similar way.

Re:Just how personal is this new spam

[c_sd_m (995261)]

Any chance they could just do a dumb filter and exclude women with obviously female names? I'm really tired of getting spam about enlarging my [non-existent] penis, especially the more explicit ones. It would not 'give my partner more pleasure'.
At least change the 'your' to 'his'. That might even get you more sales than sending it to the men.

Oh that tears it.

[aztektum (170569)]

This is horrible. This is an outrage! I'm writing Google a letter telling them how awful this is an how they need to work on the Q/A. I mean my GMail address *IS* my full name, but I'm not going to let that fact stop me from acting like an emotionally charged idiot!

Bugs are to be expected...

[elnico (1290430)]

It's a good thing they caught this in beta, before it affects a large number of people!

Finally Sean Penn will have justice

[John Meacham (1112)]

http://www.theonion.com/content/node/44460 [theonion.com]

The *real* security risk...

[Peet42 (904274)]

...is that this will allow Phishing scams aimed at GMail users to *seem* so much more plausible.

What? You expected humour?

Serious FERPA Violation

[Lord Byron II (671689)]

The Families Educational Rights and Privacy Act of 1974 allows a student at a university to require the university to not release their name to anyone. For example, if you check for my name at my school's phonebook, you'll find I'm not listed. If you call my registrar's office and ask for information on me, they'll tell you that they don't have a student by my name. You see, it's against the law for them to even confirm that I'm a student.

Since many schools have outsourced their email systems to Gmail, anyone can generate a full roster of student names through this trick. This could obviously result in many violations of FERPA.

Privacy...

[db32 (862117)]

Ok...so I only see this as an issue for people trying to hide their identity for something nefarious. I mean christ, I give out my full name a dozen times a day to people I don't know. "Hello, we have a circuit down and need to open a ticket." "Hello, I have a few questions about your product." and damned near every other statement you might make when calling another company is almost IMMEDIATELY followed by "Can I have your name please?" Of course this is after they answer the phone "Hello, my name is..."? Now granted they don't always use their last name if they are just phone jockeys, but almost anyone worth anything in terms of sales/technical/etc reps will give you their full name, email address, phone number, etc.

In other news, purchasing cigarettes and alcohol require you to disclose your first and last name when you show your ID! Even worse, there are rumors that every time you make a purchase using anything other than cash you have to disclose your first and last name. This isn't a privacy issue, maybe a privacy irritation, but certainly not anything to get in a ruffle about. It isn't like names are even really unique identifiers. Now if it revealed birthdays or SSNs or credit card numbers or something then I would understand.

Course, maybe there is something here I am ignoring. Do the people getting in a ruffle about this freak out when someone of the opposite sex asks their name? "Oh my god they are trying to invade my privacy!" Generally it is considered "normal" to give them your name so they have something to call you other than "freak" or "uberhax4234".

Real info?

[pyrote (151588)]

Really, I wonder how many times people have used bugs like this to steal an identity, only to find that it's all fake info anyhow.

Personally, every few years, I Re-invent someone... Use a fake(completely fake, not false) identity for everything from Cellphones to gmail.

I google my real name, nothing, google my 'fake' like 20 pages. My 'fake' identity is WAY more famous than I am... I'm kinda jealous.

That's why my gmail address...

[rivaldufus (634820)]

is just my Social Security number.

Re:This only punishes the foolish

[QuantumG (50515)]

This bug really doesn't affect me as my email address is my real name.

Re:This only punishes the foolish

[Shados (741919)]

ahah! But now the spammers KNOW FOR SURE that there isn't an underscore/dash/whatever between your first and last name! You're so screwed!

Re:This only punishes the foolish

[by Anonymous Coward]

Gmail strips out punctuation. So email to First.Last@gmail.com goes to the same inbox as FirstLast@gmail.com

Re:This only punishes the foolish

[Shados (741919)]

Then they'll know what part is your first and last name regardless of capitalization! THIS IS HUGE!

Re:This only punishes the foolish

[Sparr0 (451780)]

citation needed. seriously, what you describe would be a huge security/privacy hole, and I don't believe you.

Re:This only punishes the foolish

[by Anonymous Coward]

Oh man! So email can be sent to me at the.rapist@gmail.com or therapist@gmail.com?

Re:This only punishes the foolish

[antek9 (305362)]

Yes, and using the exploit referred to in the article, your real names will be revealed as Jekyll and Hyde, respectively.

Re:This only punishes the foolish

[afidel (530433)]

They also ignore anything after a + sign, so I use username+site@gmail.com to sign up for legit stuff where I think there's a chance of getting spammed in the future, if I do get spammed on that alias I write a rule to drop it to the floor and contact the company letting them know they now have zero chance of getting future business with me. The only problem is when a stupid validation script writer doesn't know how to read an RFC and claims the address is invalid. In that case they get my old excite address which is nothing but a spamhole. I guess I could use my google apps address, but it's too much of a pain to create a new user just for one site and I never read the catchall mailbox unless I know I'm missing an important email.

Re:This only punishes the foolish

[Drakonik (1193977)]

False. For GMail, dots are invisible in regards to who receives the email. Emails sent to foobar@gmail.com and foo.bar@gmail.com and f.o.o.b.a.r@gmail.com all go to the same address. Messages sent to foo.bar@gmail.com don't go to bar@gmail.com.

Re:This only punishes the foolish

[antek9 (305362)]

Correct. Gmail explains it this way (try sending an e-mail to yourself, putting in some dots, and you'll of course receive it yourself, with a small link in the header next to the recipient address (appropriately named, 'yes, this is you'):

Sometimes you may receive a message intended for someone whose address resembles yours but has a different number or placement of dots. For example, your address might be homerjsimpson@gmail.com, but the message was sent to a Homer.J.Simpson@gmail.com. What's going on?

Gmail allows only one registration for any given username. Once you sign up for a particular username, any dot or capitalization variations are made permanently unavailable for new registration. If you created yourusername@gmail.com, no one can ever register your.username@gmail.com, or Your.user.name@gmail.com. Furthermore, because Gmail doesn't recognize dots as characters within usernames, adding or removing dots from a Gmail address won't change the actual destination address. Messages sent to yourusername@gmail.com, your.username@gmail.com, and y.o.u.r.u.s.e.r.n.a.m.e@gmail.com are all delivered to your inbox, and only yours.

If you're homerjsimpson@gmail.com, no one owns Homer.J.Simpson@gmail.com, except for you. Sending mail to Homer.J.Simpson@gmail.com is the same as sending mail to homerjsimpson@gmail.com, or even HOMERJSIMPSON@GMAIL.COM. If you're getting mail addressed to Homer.J.Simpson@gmail.com, most likely someone was trying to send a message to Homer.J.Sampson@gmail.com, or Homer.J.Simpson1@gmail.com, and made a mistake. You might even get messages from mailing lists or website registrations because the intended recipient accidentally provided the wrong email address. In these cases, we suggest contacting the original sender or website when possible to alert them to the mistake.

For security reasons, when you log in to Gmail, you must enter any dots that were originally defined as part of your username.

Note: Google Apps recognizes dots. If you'd like to receive mail with a dot in your username, please ask your domain administrator to add the desired username as a nickname.

Re:This only punishes the foolish

[pha7boy (1242512)]

you are incorrect. john.richards@gmail.com send mail to johnrichards@gmail.com not to richards@gmail.com. Stripping the punctuation means gmail ignores it, not kills off the first part.

what you are talking about is using + in your email address: see here Google Blog [blogspot.com]

Re:This only punishes the foolish

[ThePengwin (934031)]

Wait, the Rolexes are fake?!?!

Re:This only punishes the foolish

[zamboni1138 (308944)]

There are two X's in Rolexx.

Re:This only punishes the foolish

[jacquesm (154384)]

mine goes to thirteen...

Re:This only punishes the foolish

[Zymergy (803632)]

Ditto.
Since all names are really all about pretense, I set up mine on Gmail as "firstnamelastname@gmail.com" (Where 'firstname' and 'lastname' are my actual names.
I think there are only eight or ten other people in the US with my same spelled the same anyway. Regardless, I think Gmail's spam filters have only let a couple of false negatives into my Inbox.
*THIS* is why I use very different passwords for web mail as say, my banking or credit report service passwords, etc... If the password file were to be breached, I would only have one to change.
I suggest a good password management app such as this one: http://passwordsafe.sourceforge.net/ [sourceforge.net]

OMG ... first names... then what? Last names?

[PC and Sony Fanboy (1248258)]

Honestly - your name isn't a secret...

and if you're trying to hide your identity and you put your real first / last name into a free service, you're a moron.

Spam doesn't worry me, it's privacy.

[Spy der Mann (805235)]

This goes well beyond the scope of SPAM. Once they match your real name with your e-mail, they can start finding out what you do online, what sites/forums you visit, etc (Google knows everything).

I'm much more worried about ID thieves finding out about my life than about getting personalized spam.

Re:This only punishes the foolish

[aldo.gs (985038)]

Where 'firstname' and 'lastname' are my actual names.

Damn! Some nasty name you got there! Perhaps I'll name my son 'firstname' too!

Re:This only punishes the foolish

[Nasajin (967925)]

What, your parents named you Quantum G?

Re:This only punishes the foolish

[3vi1 (544505)]

No, her parents named her Moon Unit. What kind of fucking name would "Quantum G" be?!?!

So's mine.

[SatanicPuppy (611928)]

I wondered why all the spam was suddenly titled, "Hey Satanic!" and "Dear Mr. Puppy"

Re:This only punishes the foolish

[thedullroar (944296)]

oh noes! they can figure out my real name just by using google calendar and my email address (first.last@gmail.com)!?

Re:This only punishes the foolish

[caffeinemessiah (918089)]

I mean really... Does anyone with a lick of sense actually give their real name to a free web-based service?

In short, yes. Ever since GMail was launched and people discovered that its way more convenient that Outlook/Yahoo/etc., there's been a steady conversion of addresses in my contact list to "@gmail.com". People are moving to GMail as their primary mail accounts -- I don't know if you've been listening since 1998, but "free web-based email" is now often much, much better than whatever your university/company offers.

So yeah, this is a pretty big deal -- not so much for spammers, but as a privacy violation. You can't do a name lookup for an arbitrary e-mail address, and you shouldn't be able to do it for a GMail address. Someone should get an ass-kicking for this.

Re:This only punishes the foolish

[nbannerman (974715)]

Someone should get an ass-kicking for this.

Agreed. I'll certainly be asking for my money back...

Re:This only punishes the foolish

[RevMike (632002)]

So yeah, this is a pretty big deal -- not so much for spammers, but as a privacy violation. You can't do a name lookup for an arbitrary e-mail address, and you shouldn't be able to do it for a GMail address. Someone should get an ass-kicking for this.

You know what else... Someone left a thick softcover book on my doorstep the other day that listed the names, addresses, and phone numbers of everyone in my region. Hundreds of thousands of people, maybe millions. I called the police about this, but they seemed unconcerned.

Re:This only punishes the foolish

[Dun Malg (230075)]

I know individuals with a hell of a lot of sense who would give their real names in such a situation.

So? Part of the reason for that is that full names in and of themselves are not really a security risk. I walk around all day in public with an ID badge that gives my first and last name. Big deal. Our names are our public identifiers.

Re:This only punishes the foolish

[NickCatal (865805)]

Why would they have such an unnecessary expense?

I have no problem giving people my gmail account address for business-type-transactions because it is a hell of a lot easier to keep track of my conversations and actually get business done using gmail. When I do need a "professional" email address I usually just have it forwarded to my gmail account, again, because it is easier to keep my life organized that way.

Not to mention how great gmail and Google Calendar Sync work on my BlackBerry.

It has really become a first-rate application suite for just about every use.

Re:This only punishes the foolish

[hal9000(jr) (316943)]

for a small business owner, why not. I manage a few websites. Very, very small. Less than 20 people have write access. They wanted email. some users would use outlook or outlook express, others wanted a web mail front end. The email client the hosting service had was horrible so I hooked them up with a gmail hosted services. It works very, very nicely for them.

there are some cases where Google is a good alternative to other options.

Re:Ouf

[game kid (805301)]

...after which exercise balls (in lieu of the usual chair) will be thrown in a fit of unbridled anger (several tech websites will report a mysterious colorful stream of balls spilling out the Google offices).