Gmail Reveals the Names of All Users

ihatespam writes "Have you ever wanted to know the name of admin@gmail.com? Now you can. Through a bug in Google calendars the names of all registered Gmail accounts are now readily available. All you need to find out the names of any gmail address is a Google calendar account yourself. Depending on your view this ranges from a harmless "feature" to a rather serious privacy violation. According to some reports, spammers are already exploiting this "feature"/bug to send personalized spam messages."

IMAP

[Anonymous Coward]

I think the reason for this is that most of the small business internet services, i.e. Verizon, Comcast, only provide POP email accounts. Gmail supports IMAP and a lot of people want to be able to use their email from multiple locations and have it sync up.

Re:This only punishes the foolish

[Zymergy]

Ditto.
Since all names are really all about pretense, I set up mine on Gmail as "firstnamelastname@gmail.com" (Where 'firstname' and 'lastname' are my actual names.
I think there are only eight or ten other people in the US with my same spelled the same anyway. Regardless, I think Gmail's spam filters have only let a couple of false negatives into my Inbox.
*THIS* is why I use very different passwords for web mail as say, my banking or credit report service passwords, etc... If the password file were to be breached, I would only have one to change.
I suggest a good password management app such as this one: http://passwordsafe.sourceforge.net/ [sourceforge.net]

anonymous.coward@gmail.com

[Anonymous Coward]

Now everyone knows that my first name is Anonymous and my last name is Coward. I'm screwed. The Church of Scientology will finally find me.

Moron bug

[Anti Globalism]

This seems to be rather a moron bug than anything else. They can have my fake alias name. What I worry about is rather how they treat the content of what's being sent and received.

Re:This only punishes the foolish

[i.of.the.storm]

Actually, that's inaccurate, this was debunked a while ago. I can't remember the link off the top of my head but it's not true.

Re:This only punishes the foolish

[Drakonik]

False. For GMail, dots are invisible in regards to who receives the email. Emails sent to foobar@gmail.com and foo.bar@gmail.com and f.o.o.b.a.r@gmail.com all go to the same address. Messages sent to foo.bar@gmail.com don't go to bar@gmail.com.

Re:This only punishes the foolish

[pha7boy]

you are incorrect. john.richards@gmail.com send mail to johnrichards@gmail.com not to richards@gmail.com. Stripping the punctuation means gmail ignores it, not kills off the first part.

what you are talking about is using + in your email address: see here Google Blog [blogspot.com]

Re:Bugs are to be expected...

[belg4mit]

...or started charging people for it. [google.com]

Re:Is it really that big of a deal?

[Motherfucking Shit]

If I was worried about privacy with my gmail account, google wouldn't have my actual name to have the ability to give it out.

That's all well and good until you decide to start using actual Google services (Checkout, AdSense, AdWords, and the like). It's possible to do these things with a non-GMail email address, but you have to create a Google account anyway, so I'd venture to say most folks use their GMail address if they already have one.

Re:This only punishes the foolish

[antek9]

Correct. Gmail explains it this way (try sending an e-mail to yourself, putting in some dots, and you'll of course receive it yourself, with a small link in the header next to the recipient address (appropriately named, 'yes, this is you'):

Sometimes you may receive a message intended for someone whose address resembles yours but has a different number or placement of dots. For example, your address might be homerjsimpson@gmail.com, but the message was sent to a Homer.J.Simpson@gmail.com. What's going on?

Gmail allows only one registration for any given username. Once you sign up for a particular username, any dot or capitalization variations are made permanently unavailable for new registration. If you created yourusername@gmail.com, no one can ever register your.username@gmail.com, or Your.user.name@gmail.com. Furthermore, because Gmail doesn't recognize dots as characters within usernames, adding or removing dots from a Gmail address won't change the actual destination address. Messages sent to yourusername@gmail.com, your.username@gmail.com, and y.o.u.r.u.s.e.r.n.a.m.e@gmail.com are all delivered to your inbox, and only yours.

If you're homerjsimpson@gmail.com, no one owns Homer.J.Simpson@gmail.com, except for you. Sending mail to Homer.J.Simpson@gmail.com is the same as sending mail to homerjsimpson@gmail.com, or even HOMERJSIMPSON@GMAIL.COM. If you're getting mail addressed to Homer.J.Simpson@gmail.com, most likely someone was trying to send a message to Homer.J.Sampson@gmail.com, or Homer.J.Simpson1@gmail.com, and made a mistake. You might even get messages from mailing lists or website registrations because the intended recipient accidentally provided the wrong email address. In these cases, we suggest contacting the original sender or website when possible to alert them to the mistake.

For security reasons, when you log in to Gmail, you must enter any dots that were originally defined as part of your username.

Note: Google Apps recognizes dots. If you'd like to receive mail with a dot in your username, please ask your domain administrator to add the desired username as a nickname.

Re:Is This Evil?

[dhavleak]

Sure, it's an unfortunate bug. Yes, the spam has potential to annoy--but it's spam; would you even notice a few more in the spam box?

It's more serious than that. Once the spammers know your name they can construct more personalized messages which has two implications:
- Increased chance of success in a social engineering attack.
- Better chance of fooling a spam filter.

If you're the kind of person who emails others without disclosing your real name, why would you give your real name to the email provider?

Spammers don't wait for you to email them. They buy lists of email addresses in bulk. For this particular vulnerability, they can even use a random generator and just keep track of the hits when adding appointments to the calendar.

Unless I'm a spambot, I'm not going to sit down and type out random strings of words and numbers to find out the name data on some arbitrary addresses. Whether it's Hotmail or Yahoo or Gmail doesn't matter here.

Assume you are a spambot then -- that's what TFA is about -- a security vulnerability in Gmail that spammers can take advantage of. Spammers are usually interested in creating spambots.

I don't know where OP's question about "evilness" comes in. Google deserves the benefit of doubt (about this being an honest mistake) as long as they fix it, rather than issuing some BS reason not to.

Re:Serious FERPA Violation

[lauterm]

That's only partially correct. A school can release directory information, including name, and dates of attendance unless the student opts out. http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html [ed.gov]

I wouldn't want other students out there thinking that they are automatically protected. They do have to actually DO something to have directory information protected under FERPA.

Re:Head in the clouds

[EdIII]

This is exactly why I remain leery of applications in the cloud

I take that one tinfoiled hat step further. I remain absolutely untrusting (or trusting that the gravest possible negative outcome occurs 100% of the time) of every single company and government that I deal with.

A company or governments interests with your information are never the same as your own. The way in which other entities will use this data to further their own goals is not always in your best interests. It does not have to be nefarious mind you, but it also is rarely something that you would agree with yourself. This is why "privacy policies" and laws exist, which is to govern the behavior of both parties in regards to the data they share between them. When you have dealings with a company or government, I would argue that a relationship is created with regards to that data as well as certain rights to it. Currently, the individual, is far less able to effectively control their information or enforce the laws, expectations, etc. pertaining to those relationships.

The only solution to this is simple. The safety and proper use of your information is your responsibility and you cannot rely on ethics, morality, or the alleged existence of ethics and morality in government laws to protect you. You MUST take it by force.

My own policy is simple - Only give an entity the absolute bare amount of information required to deliver the service and/or product that you require of them. With respect to Google and other websites, that means choosing an email address or user name that does not reveal too much information about you. The first letter of your first name followed by your last name, or something equivalent. In my case the name itself is completely fictitious. As for the rest of the profile information, absolutely nothing accurate is entered at all. Complete obsfucation.

Security Questions? Just another password. Except a security question allows another level of difficulty by various questions that it may ask. Never actually tell a website what your pet dog's name was. IP Address? Use TOR. Google does not need to know your actual IP address of where you are to deliver you service.

Information across other websites? It does not have to be the same. Take measures to prevent analysis of data across multiple domains as well.

I have always recommended to people that they unwaveringly apply this rule to all dealings that they have. My own driver license does not have my real physical address of where I am sleeping tonight. Slashdot does not have the public IP address of where this post came from. My utilities do not have any accurate information on me other than the property address and a mailing address OR a social security number either.

This may seem like an irrational over the top reaction and/or behavior.... but when somebody as big as Google screws up, at least my information is not out there by either negligence or malice.

I can honestly say that if you were to try to analyze all the available databases containing information about me (corporate or government), it could not lead you to physically find me. You may be able to communicate with me, but it will be on my terms.

Re:Is This Evil?

[mr_matticus]

It's more serious than that. Once the spammers know your name they can construct more personalized messages

They can already do this (and do), based on the name of your email account and other sources. The presence or absence of your name on your email account is not going to make a significant difference in the accuracy of their bulk lists.

Better chance of fooling a spam filter.

Based on what? The presence or absence of a name amongst the text is not going to affect spam scoring.

Spammers don't wait for you to email them. They buy lists of email addresses in bulk.

No shit. This doesn't have anything to do with that.

For this particular vulnerability, they can even use a random generator and just keep track of the hits when adding appointments to the calendar.

To what end? A person not susceptible to a social engineering attack isn't going to become more so because the email suddenly contains their name. What would be the point of using a random generator, signing up for a Google account, and pounding the hell out of the calendar servers to extract real names, when they can just BUY lists of names and addresses?

Adding your real name to a spam message isn't going to make it any more believable. There are already plenty of phishing emails that use real names/service user names. Either people have the sense to figure it out or they don't. I don't see any evidence of a great many people teetering on the edge of, "if only they had addressed me by name, I'd click on that link."

Re:This only punishes the foolish

[Anonymous Coward]

here [google.com]

Your address is similar but has more or fewer dots (.) or different capitalization.

            Sometimes you may receive a message intended for someone whose address resembles yours but has a different number or placement of dots. For example, your address might be homerjsimpson@gmail.com, but the message was sent to a Homer.J.Simpson@gmail.com. What's going on?

            Gmail allows only one registration for any given username. Once you sign up for a particular username, any dot or capitalization variations are made permanently unavailable for new registration. If you created yourusername@gmail.com, no one can ever register your.username@gmail.com, or Your.user.name@gmail.com. Furthermore, because Gmail doesn't recognize dots as characters within usernames, adding or removing dots from a Gmail address won't change the actual destination address. Messages sent to yourusername@gmail.com, your.username@gmail.com, and y.o.u.r.u.s.e.r.n.a.m.e@gmail.com are all delivered to your inbox, and only yours.

            If you're homerjsimpson@gmail.com, no one owns Homer.J.Simpson@gmail.com, except for you. Sending mail to Homer.J.Simpson@gmail.com is the same as sending mail to homerjsimpson@gmail.com, or even HOMERJSIMPSON@GMAIL.COM. If you're getting mail addressed to Homer.J.Simpson@gmail.com, most likely someone was trying to send a message to Homer.J.Sampson@gmail.com, or Homer.J.Simpson1@gmail.com, and made a mistake. You might even get messages from mailing lists or website registrations because the intended recipient accidentally provided the wrong email address. In these cases, we suggest contacting the original sender or website when possible to alert them to the mistake.

            For security reasons, when you log in to Gmail, you must enter any dots that were originally defined as part of your username.

            Note: Google Apps recognizes dots. If you'd like to receive mail with a dot in your username, please ask your domain administrator to add the desired username as a nickname.

Re:This only punishes the foolish

[Sparr0]

And it will go to the owner of last@gmail.com too. There's a lot of accounts with simple names like richards@gmail.com or gonzales@gmail.com which get ALL e-mail sent to owners of a dotted mail, for example: juan.gonzales@gmail.com, john.richards@gmail.com.

Is this unclear in some way? He is claiming that mail to first.last@gmail.com is delivered to last@gmail.com, which is hopefully and almost certainly false.

Re:Privacy...

[Motherfucking Shit]

Then, simply put, you are being stupid for assuming that Google would ever protect your privacy in that regard in the first place.

Bullshit, as Google explicitly told me when I signed up that I was required to provide accurate personal information, and that they would protect it. The following two sections are excerpted from the Google Terms of Service, presented when creating a new GMail account (emphasis mine)

5.1 In order to access certain Services, you may be required to provide information about yourself (such as identification or contact details) as part of the registration process for the Service, or as part of your continued use of the Services. You agree that any registration information you give to Google will always be accurate, correct and up to date.

7.1 For information about Google's data protection practices, please read Google's privacy policy at http://www.google.com/privacy.html [google.com]. This policy explains how Google treats your personal information, and protects your privacy, when you use the Services.

So I followed their link over to the Google Privacy Policy, Last modified: October 14, 2005. Under "Information Sharing," my personal information may be shared by Google in the following scenarios (emphasis and braced comments mine)

Google only shares personal information with other companies or individuals outside of Google in the following limited circumstances:

We have your consent [nope]. We require opt-in consent for the sharing of any sensitive personal information.

We provide such information to our subsidiaries [nope], affiliated companies [nope] or other trusted businesses or persons [nope] for the purpose of processing personal information on our behalf [nope]. We require that these parties agree to process such information based on our instructions and in compliance with this Policy [nope] and any other appropriate confidentiality and security measures [nope].

We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law [nope], regulation [nope], legal process [nope] or enforceable governmental request [nope], (b) enforce applicable Terms of Service [nope], including investigation of potential violations thereof [nope], (c) detect, prevent, or otherwise address fraud, security or technical issues [nope], or (d) protect against imminent harm to the rights, property or safety of Google [nope], its users [nope] or the public [nope] as required or permitted by law.

If Google becomes involved in a merger, acquisition, or any form of sale of some or all of its assets, we will provide notice before personal information is transferred and becomes subject to a different privacy policy. [none of this applies]

We may share with third parties certain pieces of aggregated, non-personal [nope] information, such as the number of users who searched for a particular term, for example, or how many users clicked on a particular advertisement. Such information does not identify you individually.

Assuming that I held up my end of the bargain and provided Google with my "accurate, correct and up to date" information, I expect them to hold up their end of the bargain, as well.

Re:This only punishes the foolish

[New_Age_Reform_Act]

Not only the period, the "+" sign also gives you the variation:

abcdef@gmail.com
abcdef+1@gmail.com
abcdef+2@gmail.com

and so on.

Note: This does NOT work in Facebook.

Re:Privacy...

[Motherfucking Shit]

It is pretty stupid to give them your real name for your Bush-hating blog though. If you plan to actually, you know, respond to your emails, whatever you put for your real name will be on them, right in the From header.

You can change what appears in the From header at any time. Login to GMail and go to Settings > Accounts > Send Mail As > Edit Info. However, changing your name there does not change the name that appears when someone uses the Calendar exploit against you. It will show whatever first and last name you entered when you first registered for your GMail account.

Easy How To:

[Raven737]

just create any calender entry (single click on an empty field) with just the gmail address in the main 'What:' field, select 'don't send' and open it up (double click)... there you see the full user name of the gmail account.
Not sure why the article makes it so complicated...

So the admin@gmail.com guy is named 'smart ass'... poor fellow ;)

A reverse lookup phone book is much harder to find

[Shirotae]

You may have been given a book that does name->phone-number lookups for those who have not chosen to opt out but I believe that it is very much harder to get access to the inverse function that does phone-number->name lookups. I suspect that it varies by jurisdiction but I believe that in some places at least, people can be in serious trouble for giving access to the database that performs that function to those who do not have the proper authorization.

Those who are familiar with security will know the concept of work-factor. You can reverse lookup with a phone book but if all you have is a printed copy it is a lot of work. The cost of doing that work is the deterrent. Modern technology has made it easier, but it is still costly. The idea is to adjust the cost/benefit ratio so that an attack is not worthwhile.

The concern for the revealing of names from addresses is that it makes it cheaper for confidence tricksters to deliver some plausible message that will trick people into giving them some of their money. If the average cost of creating the plausible message becomes less than the expected return then the level of scamming will increase. Those of us not taken in by the tricksters will still suffer from increased level of junk so it is in all our interests to take this kind of thing seriously.

Re:This only punishes the foolish

[The Clockwork Troll]

Check the message headers. Probably, the envelope recipient (SMTP RCPT To) was your account and the header "To:" was the address you don't own.

Re:This only punishes the foolish

[ReptileQc]

Actually there is another feature of Gmail that was advertised through their blog. And it states that me+nospam@gmail.com is directed to me@gmail.com

So basically all the characters after the + sign (including it) in the email address is stripped to determine to receiver. You will see that the email has been sent to me+nospam@gmail.com and then can filter on it. If used intelligently, it can tell you which site is selling your email address to other 3rd party companies.

Re:This only punishes the foolish

[pal]

Forget the catchall mailbox. http://mailinator.com/ [mailinator.com] has a great system for disposable email addresses, with the caveat that you shouldn't use it if your personal information is on the line. But if you just need to give an email address to a site and get something in return that's not sensitive, it's fantastic.

Re:This only punishes the foolish

[dfn_deux]

Both of these features are compliant with the RFC and are not uncommon, there is a reason the RFCs for email refer to the left hand side of the "@" as the "local part" since it is mostly up to the local mx to determine how to treat this portion.