lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 19 Oct 2012 20:19:22 -0700
From: Sai <sai@...zai.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>, security@...gle.com
Subject: Re: Google Maps pseudonym disclosure
	vulnerability via Google Places reviews

Update: the Maps team has fixed this issue using both of my suggested patches.

a) Reviews are no longer listed on Maps user profiles, thus removing
the forward link
b) Reviews are listed on G+ user profiles, thus making clear the disclosure.

Credit where credit is due.

- Sai

On Mon, Oct 1, 2012 at 6:04 PM, Sai <sai@...zai.com> wrote:
> Recently, Google Places (aka Yelp Lite :-P) got linked to G+ profiles.
> This linkage has created a potentially serious privacy vulnerability.
> To my knowledge it has not previously been disclosed; I know it thanks
> to a tip from a concerned Google maps user.
>
> So, first off, the integration isn't fully obvious; it's not listed on
> the G+ about page. It is explicitly disclosed when you opt in to
> reviews that it will be linked to your profile, just not always
> obvious afterwards.
>
> Consider for instance +103351126638314796068. His About page doesn't
> list anything, which would seem to imply that he doesn't want his
> reviews linked with his G+ profile (which has what is presumably his
> legal name). However, if you go to
> https://plus.google.com/local/*/s/by%3A103351126638314796068 (same ID
> number) you'll find that he has reviewed +100712323888821655907.
>
> (Although that personal reviews link _doesn't_ link to his G+ profile
> directly, the restaurant's Page _does_ do so, and of course it's
> intrinsic to the ID number in the URL.)
>
> If you do a google search for the review text, you can see that at
> least one third party site has already scraped it.
>
> Now, this wouldn't be too bad by itself. It's a couple UI flaws, and
> to my knowledge you can't get from here to what I'm about to talk
> about, only the other way 'round.
>
> However, suppose that instead you had started by looking at this map
> of the West Coast Electric Highway:
> https://maps.google.com/maps/ms?hl=en&gl=us&ie=UTF8&oe=UTF8&msa=0&msid=214874436355124459198.0004c15567ce4ce290f50
>
> You can see that it was created by someone with the username _jimad_.
> Click that, and you go to an anonymous Google Maps profile page, which
> lists another two maps made by jimad… and what seems to be an
> anonymous review of +100712323888821655907.
>
> However, if you google the review text — or just click through the
> restaurant's name — you can then search through the reviews, and see
> that the writer of that review was in fact +103351126638314796068.
>
>
> So to review, the improper disclosure — which is _not_ anywhere
> consented to or explained to my knowledge — is that the Google Maps
> profile _jimad_ belongs to _+103351126638314796068_. (TTBOMK you can't
> get the reverse linkage; please let me know if not.)
>
> In this case, that disclosure is relatively innocuous; knowing who has
> mapped the West Coast Electric Highway isn't that big a deal.
>
> Consider other cases, though, where the creator of a map may have a
> significant privacy interest in their identity not being disclosed,
> like this map of porn stores and churches on I-70, by Google Maps user
> "Taylor" http://goo.gl/maps/7avuJ; or this map of Mumbai attacks by
> user "Omar" http://goo.gl/maps/dKbcA. Both are currently safe — the
> only thing disclosed is a separate name, and it's not linked to their
> G+ profiles or legal names.
>
> If either of them were to, say, review a restaurant, they would be
> told and have the impression that the only link they are creating is
> between their profile and the review. However, what they would also be
> creating is a public link between their _maps_ and their profile, and
> this isn't something they would've consented to.
>
> This can be mitigated pretty easily: just patch the Google Maps
> profile page to remove the reviews section, and/or make explicit the
> linkage in the opt-in consent for Google Places.
>
> However, it's already public, and the data's probably already been
> scraped significantly, so at this point it can't be fully fixed.
>
>
> I hope that the Google Maps, Places, & Plus teams take immediate
> action to correct this before it results in a leak that hurts someone
> — and thanks again to my anonymous informant for the tip.
>
> - Sai
>
> posted originally to:
> https://plus.google.com/103112149634414554669/posts/F12kZrPrwm2 — look
> for updates there, and +### are Google+ profile links

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ