sai at saizai
Oct 19, 2012, 8:19 PM
Post #2 of 2
Update: the Maps team has fixed this issue using both of my suggested patches.
Re: Google Maps pseudonym disclosure vulnerability via Google Places reviews
[In reply to]
a) Reviews are no longer listed on Maps user profiles, thus removing
the forward link
b) Reviews are listed on G+ user profiles, thus making clear the disclosure.
Credit where credit is due.
On Mon, Oct 1, 2012 at 6:04 PM, Sai <sai [at] saizai> wrote:
> Recently, Google Places (aka Yelp Lite :-P) got linked to G+ profiles.
> This linkage has created a potentially serious privacy vulnerability.
> To my knowledge it has not previously been disclosed; I know it thanks
> to a tip from a concerned Google maps user.
> So, first off, the integration isn't fully obvious; it's not listed on
> the G+ about page. It is explicitly disclosed when you opt in to
> reviews that it will be linked to your profile, just not always
> obvious afterwards.
> Consider for instance +103351126638314796068. His About page doesn't
> list anything, which would seem to imply that he doesn't want his
> reviews linked with his G+ profile (which has what is presumably his
> legal name). However, if you go to
> https://plus.google.com/local/*/s/by%3A103351126638314796068 (same ID
> number) you'll find that he has reviewed +100712323888821655907.
> (Although that personal reviews link _doesn't_ link to his G+ profile
> directly, the restaurant's Page _does_ do so, and of course it's
> intrinsic to the ID number in the URL.)
> If you do a google search for the review text, you can see that at
> least one third party site has already scraped it.
> Now, this wouldn't be too bad by itself. It's a couple UI flaws, and
> to my knowledge you can't get from here to what I'm about to talk
> about, only the other way 'round.
> However, suppose that instead you had started by looking at this map
> of the West Coast Electric Highway:
> You can see that it was created by someone with the username _jimad_.
> Click that, and you go to an anonymous Google Maps profile page, which
> lists another two maps made by jimad… and what seems to be an
> anonymous review of +100712323888821655907.
> However, if you google the review text — or just click through the
> restaurant's name — you can then search through the reviews, and see
> that the writer of that review was in fact +103351126638314796068.
> So to review, the improper disclosure — which is _not_ anywhere
> consented to or explained to my knowledge — is that the Google Maps
> profile _jimad_ belongs to _+103351126638314796068_. (TTBOMK you can't
> get the reverse linkage; please let me know if not.)
> In this case, that disclosure is relatively innocuous; knowing who has
> mapped the West Coast Electric Highway isn't that big a deal.
> Consider other cases, though, where the creator of a map may have a
> significant privacy interest in their identity not being disclosed,
> like this map of porn stores and churches on I-70, by Google Maps user
> "Taylor" http://goo.gl/maps/7avuJ; or this map of Mumbai attacks by
> user "Omar" http://goo.gl/maps/dKbcA. Both are currently safe — the
> only thing disclosed is a separate name, and it's not linked to their
> G+ profiles or legal names.
> If either of them were to, say, review a restaurant, they would be
> told and have the impression that the only link they are creating is
> between their profile and the review. However, what they would also be
> creating is a public link between their _maps_ and their profile, and
> this isn't something they would've consented to.
> This can be mitigated pretty easily: just patch the Google Maps
> profile page to remove the reviews section, and/or make explicit the
> linkage in the opt-in consent for Google Places.
> However, it's already public, and the data's probably already been
> scraped significantly, so at this point it can't be fully fixed.
> I hope that the Google Maps, Places, & Plus teams take immediate
> action to correct this before it results in a leak that hurts someone
> — and thanks again to my anonymous informant for the tip.
> - Sai
> posted originally to:
> https://plus.google.com/103112149634414554669/posts/F12kZrPrwm2 — look
> for updates there, and +### are Google+ profile links
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/