Gmail Reveals the Names of All Users 438
ihatespam writes "Have you ever wanted to know the name of admin@gmail.com? Now you can. Through a bug in Google calendars the names of all registered Gmail accounts are now readily available. All you need to find out the names of any gmail address is a Google calendar account yourself. Depending on your view this ranges from a harmless "feature" to a rather serious privacy violation. According to some reports, spammers are already exploiting this "feature"/bug to send personalized spam messages."
Ouf (Score:2, Insightful)
The person(s) responsible for this bug is going to have a nice and very uncomfy meeting with their supervisor very soon...
Re:Ouf (Score:5, Funny)
...after which exercise balls (in lieu of the usual chair) will be thrown in a fit of unbridled anger (several tech websites will report a mysterious colorful stream of balls spilling out the Google offices).
Re: (Score:3, Funny)
The person(s) responsible for this bug is going to have a nice and very uncomfy meeting with their supervisor very soon...
But who was responsible? Let the Ginquisition begin!
Google has persistently pursued innovation and pushed the limits of existing technology to provide a fast, accurate and easy-to-use torture room that can be accessed from anywhere.
Is it really that big of a deal? (Score:4, Insightful)
If I was worried about privacy with my gmail account, google wouldn't have my actual name to have the ability to give it out.
Re:Is it really that big of a deal? (Score:5, Informative)
If I was worried about privacy with my gmail account, google wouldn't have my actual name to have the ability to give it out.
That's all well and good until you decide to start using actual Google services (Checkout, AdSense, AdWords, and the like). It's possible to do these things with a non-GMail email address, but you have to create a Google account anyway, so I'd venture to say most folks use their GMail address if they already have one.
Re: (Score:3, Interesting)
Not to mention that my employers have started (without any process of considering implications whatsoever) started to use Google services for all their meeting arrangements, annual leave sheets, some internal email communications. I imagine some other places are doing the same. I wonder if it will get to the point where having your Google account suspended will be cause for a dismissal. At any rate, not everyone has the option of not using Google. I imagine the number of such people will increase.
D'Oh (Score:5, Funny)
Re:D'Oh (Score:5, Funny)
Fortunately for Homer Simpson, that's @aol.com
Re:D'Oh (Score:5, Funny)
I can't believe Google would do this! (Score:5, Funny)
Really, now everyone will know my name is John Smith? I am outraged and will see my lawyer immediately!
-- john.smith@gmail.com
Re:I can't believe Google would do this! (Score:4, Insightful)
Re: (Score:3, Funny)
Is This Evil? (Score:4, Interesting)
Re:Is This Evil? (Score:5, Insightful)
Re:Is This Evil? (Score:5, Informative)
Sure, it's an unfortunate bug. Yes, the spam has potential to annoy--but it's spam; would you even notice a few more in the spam box?
It's more serious than that. Once the spammers know your name they can construct more personalized messages which has two implications:
- Increased chance of success in a social engineering attack.
- Better chance of fooling a spam filter.
If you're the kind of person who emails others without disclosing your real name, why would you give your real name to the email provider?
Spammers don't wait for you to email them. They buy lists of email addresses in bulk. For this particular vulnerability, they can even use a random generator and just keep track of the hits when adding appointments to the calendar.
Unless I'm a spambot, I'm not going to sit down and type out random strings of words and numbers to find out the name data on some arbitrary addresses. Whether it's Hotmail or Yahoo or Gmail doesn't matter here.
Assume you are a spambot then -- that's what TFA is about -- a security vulnerability in Gmail that spammers can take advantage of. Spammers are usually interested in creating spambots.
I don't know where OP's question about "evilness" comes in. Google deserves the benefit of doubt (about this being an honest mistake) as long as they fix it, rather than issuing some BS reason not to.
Re: (Score:3, Informative)
It's more serious than that. Once the spammers know your name they can construct more personalized messages
They can already do this (and do), based on the name of your email account and other sources. The presence or absence of your name on your email account is not going to make a significant difference in the accuracy of their bulk lists.
Better chance of fooling a spam filter.
Based on what? The presence or absence of a name amongst the text is not going to affect spam scoring.
Spammers don't wait for you to email them. They buy lists of email addresses in bulk.
No shit. This doesn't have anything to do with that.
For this particular vulnerability, they can even use a random generator and just keep track of the hits when adding appointments to the calendar.
To what end? A person not susceptible to a social engineering attack isn't going to become more so because the email su
Re: (Score:3, Insightful)
No, but it constitutes a serious bug. Evil usually requires intent. Stupidity, on the other hand, can be completely unintentional.
Re:Is This Evil? (Score:4, Insightful)
But, does this constitute evil? So far so good. My gmail account is my real name anyway. I'll be looking out for the evil...
So if it doesn't affect you, then it is ok?
I think you have defined for us what evil is and you are a shining example of it yourself...
Re: (Score:3, Funny)
About time you caught on
Re: (Score:3, Funny)
A motto that, by its own grammar, violates itself? Brilliant!
Head in the clouds (Score:5, Insightful)
I try really, really hard not to leave to broad a trail online. Those databases just never die (except when they do, of course - but the timing is subject to Murphy's Law, so it's never in my favor).
I'm gonna go hide in my cave now.
Re: (Score:3, Informative)
I take that one tinfoiled hat step further. I remain absolutely untrusting (or trusting that the gravest possible negative outcome occurs 100% of the time) of every single company and government that I deal with.
A company or governments interests with your information are never the same as your own. The way in which other entities will use this data to further their own goals is not always in your best interests. It does not have to
Just how personal is this new spam (Score:5, Funny)
Re:Just how personal is this new spam (Score:5, Insightful)
Not yet but soon, just wait for the medical data to be compromised in a similar way.
Re:Just how personal is this new spam (Score:5, Funny)
At least change the 'your' to 'his'. That might even get you more sales than sending it to the men.
Oh that tears it. (Score:5, Funny)
This is horrible. This is an outrage! I'm writing Google a letter telling them how awful this is an how they need to work on the Q/A. I mean my GMail address *IS* my full name, but I'm not going to let that fact stop me from acting like an emotionally charged idiot!
Grow up, lemming (Score:3, Insightful)
Well, grow up. Even if this particular one doesn't affect you, it does show the kind of privacy problems that google has _again_. And it seems to be perfect illustration of what a few Google deffecters were ranting about recently.
Depending on what of their services you use, Google usually has a lot more data about you than your name. E.g., your searches, the news/mailing-lists you're subscribed to, your credit card number if you use their payment processor, possibly your medical history, etc. Heck, it even
Bugs are to be expected... (Score:5, Funny)
It's a good thing they caught this in beta, before it affects a large number of people!
Finally Sean Penn will have justice (Score:5, Funny)
http://www.theonion.com/content/node/44460 [theonion.com]
The *real* security risk... (Score:4, Interesting)
...is that this will allow Phishing scams aimed at GMail users to *seem* so much more plausible.
What? You expected humour?
Serious FERPA Violation (Score:5, Interesting)
The Families Educational Rights and Privacy Act of 1974 allows a student at a university to require the university to not release their name to anyone. For example, if you check for my name at my school's phonebook, you'll find I'm not listed. If you call my registrar's office and ask for information on me, they'll tell you that they don't have a student by my name. You see, it's against the law for them to even confirm that I'm a student.
Since many schools have outsourced their email systems to Gmail, anyone can generate a full roster of student names through this trick. This could obviously result in many violations of FERPA.
Testing this (Score:3, Funny)
So how do I go about testing this on myself? (as 100 posts reply with my real name.... Scrooge McDuck)
Privacy... (Score:5, Insightful)
Ok...so I only see this as an issue for people trying to hide their identity for something nefarious. I mean christ, I give out my full name a dozen times a day to people I don't know. "Hello, we have a circuit down and need to open a ticket." "Hello, I have a few questions about your product." and damned near every other statement you might make when calling another company is almost IMMEDIATELY followed by "Can I have your name please?" Of course this is after they answer the phone "Hello, my name is..."? Now granted they don't always use their last name if they are just phone jockeys, but almost anyone worth anything in terms of sales/technical/etc reps will give you their full name, email address, phone number, etc.
In other news, purchasing cigarettes and alcohol require you to disclose your first and last name when you show your ID! Even worse, there are rumors that every time you make a purchase using anything other than cash you have to disclose your first and last name. This isn't a privacy issue, maybe a privacy irritation, but certainly not anything to get in a ruffle about. It isn't like names are even really unique identifiers. Now if it revealed birthdays or SSNs or credit card numbers or something then I would understand.
Course, maybe there is something here I am ignoring. Do the people getting in a ruffle about this freak out when someone of the opposite sex asks their name? "Oh my god they are trying to invade my privacy!" Generally it is considered "normal" to give them your name so they have something to call you other than "freak" or "uberhax4234".
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
In other news, purchasing cigarettes and alcohol require you to disclose your first and last name when you show your ID! Even worse, there are rumors that every time you make a purchase using anything other than cash you have to disclose your first and last name.
Perhaps in the US, but here in the UK you don't have to show ID to buy alcohol or tobacco unless you look like you might be under age. Even that's a relatively recent thing - 16 years ago I had no problem buying alcohol at 16 and 17 (age limit is 18
Hmmm... (Score:3, Funny)
However, there exists one and only one of me.
I wouldn't be so sure of that. I've run into many people in my time who were "Motherfucking Shit"s.
Re: (Score:3, Informative)
Then, simply put, you are being stupid for assuming that Google would ever protect your privacy in that regard in the first place.
Bullshit, as Google explicitly told me when I signed up that I was required to provide accurate personal information, and that they would protect it. The following two sections are excerpted from the Google Terms of Service, presented when creating a new GMail account (emphasis mine)
5.1 In order to access certain Services, you may be required to provide information about yourself (such as identification or contact details) as part of the registration process for the Service, or as part of your continued use of the Services. You agree that any registration information you give to Google will always be accurate, correct and up to date.
7.1 For information about Google's data protection practices, please read Google's privacy policy at http://www.google.com/privacy.html [google.com]. This policy explains how Google treats your personal information, and protects your privacy, when you use the Services.
So I followed their link over to the Google Privacy Policy, Last modified: October 14, 2005. Under "Information Sharing," my personal information may be shared by Google in the following scenarios (emphasis and braced comments m
Re: (Score:3, Informative)
It is pretty stupid to give them your real name for your Bush-hating blog though. If you plan to actually, you know, respond to your emails, whatever you put for your real name will be on them, right in the From header.
You can change what appears in the From header at any time. Login to GMail and go to Settings > Accounts > Send Mail As > Edit Info. However, changing your name there does not change the name that appears when someone uses the Calendar exploit against you. It will show whatever first and last name you entered when you first registered for your GMail account.
Real info? (Score:5, Funny)
Really, I wonder how many times people have used bugs like this to steal an identity, only to find that it's all fake info anyhow.
Personally, every few years, I Re-invent someone... Use a fake(completely fake, not false) identity for everything from Cellphones to gmail.
I google my real name, nothing, google my 'fake' like 20 pages. My 'fake' identity is WAY more famous than I am... I'm kinda jealous.
With great power comes great responsibility (Score:3, Insightful)
Frankly, Google seems to be gathering excessive power and not doing so well on the responsibility part. In general, they have become far too helpful to spammers, so I suggested a way that Google could be much less helpful to the spammers [google.com]--but there is no evidence they are interested in it. Does their understanding of evil somehow exempt the spammers?
On the general privacy thing, Too many companies are collecting too much of our personal data--and then treating it like their corporate property. I deeply resent it, but at least it isn't anything special about Google. Or maybe it is, insofar as Google is especially skilled at using information, and therefore poses the greater threat for potential abuse... What I want it a privacy option to store my personal information on *MY* computer, and they can ask when they want to look at it--and they had better ask nicely, too. (Actually, I want an automated system of user-controlled privacy preferences to handle most of this...)
Gaping security hole reveals same info I send out (Score:4, Funny)
I was like, really concerned for a minute. I thought spammers had managed to access something *important* or something.
So, this is about someone that already knows my email address accessing the "name" that I show on every email I send out?
To quote "The Whole Nine Yards" -
*Oh* *My* *Gawd*!
Pug
That's why my gmail address... (Score:5, Funny)
is just my Social Security number.
Just google being google (Score:3, Interesting)
I've used about every service that they have had, and this is pretty much how everything they do works. You don't opt in for anything, you have to figure out how to eventually opt out.
You fumble through the options screen and finally find the right combination of checkboxes that doesn't throw your name out there, and let everyone see everything by default.
"Hey guess what users, we added this nice option that lets everyone see your real name, address, and link to a picture of your house on google maps. Don't worry, it's been already enabled for your convenience!"
Easy How To: (Score:4, Informative)
Not sure why the article makes it so complicated...
So the admin@gmail.com guy is named 'smart ass'... poor fellow
Re:This only punishes the foolish (Score:5, Funny)
This bug really doesn't affect me as my email address is my real name.
Re:This only punishes the foolish (Score:5, Funny)
ahah! But now the spammers KNOW FOR SURE that there isn't an underscore/dash/whatever between your first and last name! You're so screwed!
Re:This only punishes the foolish (Score:5, Interesting)
Gmail strips out punctuation. So email to First.Last@gmail.com goes to the same inbox as FirstLast@gmail.com
Re:This only punishes the foolish (Score:5, Funny)
Then they'll know what part is your first and last name regardless of capitalization! THIS IS HUGE!
Re:This only punishes the foolish (Score:5, Insightful)
citation needed. seriously, what you describe would be a huge security/privacy hole, and I don't believe you.
Re:This only punishes the foolish (Score:4, Insightful)
I am aware of the period-ignoring feature, by which gmail treats Bob.Smith@ and Bo.bS.mith@ and BobSmith@ as the same person. That is not at issue. The parent claims that email sent to Bob.Smith@ is also delivered to [just] Smith@, which I believe to be false.
Re: (Score:3, Informative)
Actually there is another feature of Gmail that was advertised through their blog. And it states that me+nospam@gmail.com is directed to me@gmail.com
So basically all the characters after the + sign (including it) in the email address is stripped to determine to receiver. You will see that the email has been sent to me+nospam@gmail.com and then can filter on it. If used intelligently, it can tell you which site is selling your email address to other 3rd party companies.
Re: (Score:3, Informative)
Re: (Score:3, Informative)
And it will go to the owner of last@gmail.com too. There's a lot of accounts with simple names like richards@gmail.com or gonzales@gmail.com which get ALL e-mail sent to owners of a dotted mail, for example: juan.gonzales@gmail.com, john.richards@gmail.com.
Is this unclear in some way? He is claiming that mail to first.last@gmail.com is delivered to last@gmail.com, which is hopefully and almost certainly false.
Re:This only punishes the foolish (Score:5, Funny)
Re:This only punishes the foolish (Score:5, Funny)
Re: (Score:3, Interesting)
A better method for customizing your registered email address is to use "+" on the left side. "me+example.com@gmail.com" should be directed to "me@gmail.com" by their system. I say "should" simply because I've never tested the "+" feature with "."s in "it."
"
I"m sorry, I seem to have a quotation infesta""tion. The information"s correct, though.
Re:This only punishes the foolish (Score:5, Insightful)
Re: (Score:3, Informative)
Forget the catchall mailbox. http://mailinator.com/ [mailinator.com] has a great system for disposable email addresses, with the caveat that you shouldn't use it if your personal information is on the line. But if you just need to give an email address to a site and get something in return that's not sensitive, it's fantastic.
Re:This only punishes the foolish (Score:4, Informative)
Re: (Score:3, Informative)
Re:This only punishes the foolish (Score:5, Informative)
False. For GMail, dots are invisible in regards to who receives the email. Emails sent to foobar@gmail.com and foo.bar@gmail.com and f.o.o.b.a.r@gmail.com all go to the same address. Messages sent to foo.bar@gmail.com don't go to bar@gmail.com.
Re:This only punishes the foolish (Score:5, Informative)
Re:This only punishes the foolish (Score:5, Informative)
you are incorrect. john.richards@gmail.com send mail to johnrichards@gmail.com not to richards@gmail.com. Stripping the punctuation means gmail ignores it, not kills off the first part.
what you are talking about is using + in your email address: see here Google Blog [blogspot.com]
Re:This only punishes the foolish (Score:5, Funny)
Re:This only punishes the foolish (Score:5, Funny)
There are two X's in Rolexx.
Re:This only punishes the foolish (Score:4, Funny)
Re:This only punishes the foolish (Score:5, Funny)
mine goes to thirteen...
Re:This only punishes the foolish (Score:5, Informative)
Since all names are really all about pretense, I set up mine on Gmail as "firstnamelastname@gmail.com" (Where 'firstname' and 'lastname' are my actual names.
I think there are only eight or ten other people in the US with my same spelled the same anyway. Regardless, I think Gmail's spam filters have only let a couple of false negatives into my Inbox.
*THIS* is why I use very different passwords for web mail as say, my banking or credit report service passwords, etc... If the password file were to be breached, I would only have one to change.
I suggest a good password management app such as this one: http://passwordsafe.sourceforge.net/ [sourceforge.net]
OMG ... first names... then what? Last names? (Score:5, Insightful)
and if you're trying to hide your identity and you put your real first / last name into a free service, you're a moron.
Re:OMG ... first names... then what? Last names? (Score:4, Insightful)
Honestly - your name isn't a secret...
It is to people who don't know it.
Spam doesn't worry me, it's privacy. (Score:5, Interesting)
This goes well beyond the scope of SPAM. Once they match your real name with your e-mail, they can start finding out what you do online, what sites/forums you visit, etc (Google knows everything).
I'm much more worried about ID thieves finding out about my life than about getting personalized spam.
Re: (Score:3, Insightful)
Re:Spam doesn't worry me, it's privacy. (Score:4, Funny)
But... What if were to tell you that my real Gmail address is "ToddDavis@gmail.com" AND I AM Protected With "LifeLock"!!
http://www.youtube.com/watch?v=Zuom4j3-dGY [youtube.com]
Re:This only punishes the foolish (Score:5, Funny)
Where 'firstname' and 'lastname' are my actual names.
Damn! Some nasty name you got there! Perhaps I'll name my son 'firstname' too!
Re: (Score:3, Funny)
I'm going to name my kid 'lastname' instead.
Re: (Score:3, Insightful)
Drifting OT but I've found that MD5 passwords are a great way to have unique passwords for a site, eg.
md5("MySecretPassword-www.somesite.com")
Means you can use 1 password for everything without revealing it to any sites
Re:This only punishes the foolish (Score:5, Funny)
Re:This only punishes the foolish (Score:5, Funny)
No, her parents named her Moon Unit. What kind of fucking name would "Quantum G" be?!?!
Re:This only punishes the foolish (Score:4, Funny)
Whooosh.
So's mine. (Score:5, Funny)
I wondered why all the spam was suddenly titled, "Hey Satanic!" and "Dear Mr. Puppy"
Re:This only punishes the foolish (Score:4, Funny)
Re:This only punishes the foolish (Score:5, Insightful)
In short, yes. Ever since GMail was launched and people discovered that its way more convenient that Outlook/Yahoo/etc., there's been a steady conversion of addresses in my contact list to "@gmail.com". People are moving to GMail as their primary mail accounts -- I don't know if you've been listening since 1998, but "free web-based email" is now often much, much better than whatever your university/company offers.
So yeah, this is a pretty big deal -- not so much for spammers, but as a privacy violation. You can't do a name lookup for an arbitrary e-mail address, and you shouldn't be able to do it for a GMail address. Someone should get an ass-kicking for this.
Re:This only punishes the foolish (Score:5, Funny)
Someone should get an ass-kicking for this.
Agreed. I'll certainly be asking for my money back...
Re:This only punishes the foolish (Score:5, Funny)
So yeah, this is a pretty big deal -- not so much for spammers, but as a privacy violation. You can't do a name lookup for an arbitrary e-mail address, and you shouldn't be able to do it for a GMail address. Someone should get an ass-kicking for this.
You know what else... Someone left a thick softcover book on my doorstep the other day that listed the names, addresses, and phone numbers of everyone in my region. Hundreds of thousands of people, maybe millions. I called the police about this, but they seemed unconcerned.
Re: (Score:3, Funny)
Posting to clear moderation because I was brainless and didn't get the joke.
Re: (Score:3, Funny)
Posting to say that I moderated you Funny, then realized that "[I've] already posted something in this discussion."
A reverse lookup phone book is much harder to find (Score:4, Informative)
You may have been given a book that does name->phone-number lookups for those who have not chosen to opt out but I believe that it is very much harder to get access to the inverse function that does phone-number->name lookups. I suspect that it varies by jurisdiction but I believe that in some places at least, people can be in serious trouble for giving access to the database that performs that function to those who do not have the proper authorization.
Those who are familiar with security will know the concept of work-factor. You can reverse lookup with a phone book but if all you have is a printed copy it is a lot of work. The cost of doing that work is the deterrent. Modern technology has made it easier, but it is still costly. The idea is to adjust the cost/benefit ratio so that an attack is not worthwhile.
The concern for the revealing of names from addresses is that it makes it cheaper for confidence tricksters to deliver some plausible message that will trick people into giving them some of their money. If the average cost of creating the plausible message becomes less than the expected return then the level of scamming will increase. Those of us not taken in by the tricksters will still suffer from increased level of junk so it is in all our interests to take this kind of thing seriously.
Re: (Score:3, Interesting)
As have I - But that has no bearing on whether or not people give GMail their real names. I know I sure as hell didn't, despite using that account for a number of legitimate purposes, including professional contacts.
And as a bonus, anyone foolish enough to spam me under a name I give to a random website actually helps my spam filtering, because I never give my real
Re: (Score:2, Insightful)
I mean really... Does anyone with a lick of sense actually give their real name to a free web-based service?
It's not about a 'lick of sense' as such - it's about knowledge of technology - specifically the internet, and a lack of education with regard to the internet. I know individuals with a hell of a lot of sense who would give their real names in such a situation.
Just because you and I have a reasonable working knowledge of the ins and outs of the internet, it doesn't mean everyone else does.
Re:This only punishes the foolish (Score:5, Interesting)
I know individuals with a hell of a lot of sense who would give their real names in such a situation.
So? Part of the reason for that is that full names in and of themselves are not really a security risk. I walk around all day in public with an ID badge that gives my first and last name. Big deal. Our names are our public identifiers.
Re:This only punishes the foolish (Score:4, Interesting)
eBay sent this message to FULL NAME (account)
Your registered name is included to show this message originated from eBay. Learn more.
The "Learn more" link takes you to http://pages.ebay.com/help/confidence/name-userid-emails.html [ebay.com] which explains
Since people who send out spoof emails often don't have your first and last name as well as eBay User ID, receiving an email that contains this information should increase your confidence that the email was sent by eBay.
Re: (Score:3, Funny)
Gore (Score:3, Insightful)
Al Gore isn't dead, he's just resting!
Re: (Score:3, Insightful)
You do realise you give LOTS of mail servers WAY more private information every time you send or RECIEVE a non-encrypted e-mail, right? Mommy wrote you saying happy birthday and signed her message with her full name? Your employer, coworker or friends ever wrote you an e-mail ? Seriously, if you worry about google knowing your full name I think you should probably panic right about now given that ever
Re:This only punishes the foolish (Score:4, Insightful)
Why would they have such an unnecessary expense?
I have no problem giving people my gmail account address for business-type-transactions because it is a hell of a lot easier to keep track of my conversations and actually get business done using gmail. When I do need a "professional" email address I usually just have it forwarded to my gmail account, again, because it is easier to keep my life organized that way.
Not to mention how great gmail and Google Calendar Sync work on my BlackBerry.
It has really become a first-rate application suite for just about every use.
Re: (Score:3, Interesting)
Because it looks unprofessional (may be a pro or con depending on the business)
ie mike@mikesauto.com versus mike34534@hotmail.com
There is also the superficial sense of security. When I send email to Mike at his domain I'm pretty sure he is the only one reading it (although it very well could also be the isp, hosting domain, his sysadmin, and NSA). When I send email to hotmail or gmail, perhaps unfounded, I have the feeling that if they felt like it MS or google could be reading the emails and no-one would k
Re:This only punishes the foolish (Score:5, Interesting)
there are some cases where Google is a good alternative to other options.
Re: (Score:3, Funny)
I'll stick with my tiny, anonymized 3rd party free web based (and solar hosted) email provider, thanks.
I'll stick to earth-based email providers, thank you very much. Though off-planet backups are helpful in case of catastrophe.
Re: (Score:3, Insightful)
Man, the word 'Beta' is becoming like patents in terms of length.
If only Microsoft had released Vista Beta instead we'd have no reason to complain!
Re: (Score:3, Funny)