lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAPdaGT4LFZYmxYsBFP9fivEWdJ6CFCGwxRs=0_nkz_Cvnewc+g@mail.gmail.com>
Date: Mon, 1 Oct 2012 18:04:03 -0700
From: Sai <sai@...zai.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Google Maps pseudonym disclosure vulnerability
	via Google Places reviews

Recently, Google Places (aka Yelp Lite :-P) got linked to G+ profiles.
This linkage has created a potentially serious privacy vulnerability.
To my knowledge it has not previously been disclosed; I know it thanks
to a tip from a concerned Google maps user.

So, first off, the integration isn't fully obvious; it's not listed on
the G+ about page. It is explicitly disclosed when you opt in to
reviews that it will be linked to your profile, just not always
obvious afterwards.

Consider for instance +103351126638314796068. His About page doesn't
list anything, which would seem to imply that he doesn't want his
reviews linked with his G+ profile (which has what is presumably his
legal name). However, if you go to
https://plus.google.com/local/*/s/by%3A103351126638314796068 (same ID
number) you'll find that he has reviewed +100712323888821655907.

(Although that personal reviews link _doesn't_ link to his G+ profile
directly, the restaurant's Page _does_ do so, and of course it's
intrinsic to the ID number in the URL.)

If you do a google search for the review text, you can see that at
least one third party site has already scraped it.

Now, this wouldn't be too bad by itself. It's a couple UI flaws, and
to my knowledge you can't get from here to what I'm about to talk
about, only the other way 'round.

However, suppose that instead you had started by looking at this map
of the West Coast Electric Highway:
https://maps.google.com/maps/ms?hl=en&gl=us&ie=UTF8&oe=UTF8&msa=0&msid=214874436355124459198.0004c15567ce4ce290f50

You can see that it was created by someone with the username _jimad_.
Click that, and you go to an anonymous Google Maps profile page, which
lists another two maps made by jimad… and what seems to be an
anonymous review of +100712323888821655907.

However, if you google the review text — or just click through the
restaurant's name — you can then search through the reviews, and see
that the writer of that review was in fact +103351126638314796068.


So to review, the improper disclosure — which is _not_ anywhere
consented to or explained to my knowledge — is that the Google Maps
profile _jimad_ belongs to _+103351126638314796068_. (TTBOMK you can't
get the reverse linkage; please let me know if not.)

In this case, that disclosure is relatively innocuous; knowing who has
mapped the West Coast Electric Highway isn't that big a deal.

Consider other cases, though, where the creator of a map may have a
significant privacy interest in their identity not being disclosed,
like this map of porn stores and churches on I-70, by Google Maps user
"Taylor" http://goo.gl/maps/7avuJ; or this map of Mumbai attacks by
user "Omar" http://goo.gl/maps/dKbcA. Both are currently safe — the
only thing disclosed is a separate name, and it's not linked to their
G+ profiles or legal names.

If either of them were to, say, review a restaurant, they would be
told and have the impression that the only link they are creating is
between their profile and the review. However, what they would also be
creating is a public link between their _maps_ and their profile, and
this isn't something they would've consented to.

This can be mitigated pretty easily: just patch the Google Maps
profile page to remove the reviews section, and/or make explicit the
linkage in the opt-in consent for Google Places.

However, it's already public, and the data's probably already been
scraped significantly, so at this point it can't be fully fixed.


I hope that the Google Maps, Places, & Plus teams take immediate
action to correct this before it results in a leak that hurts someone
— and thanks again to my anonymous informant for the tip.

- Sai

posted originally to:
https://plus.google.com/103112149634414554669/posts/F12kZrPrwm2 — look
for updates there, and +### are Google+ profile links

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ