Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

Google Maps pseudonym disclosure vulnerability via Google Places reviews

 

 

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded


sai at saizai

Oct 1, 2012, 6:04 PM

Post #1 of 2 (170 views)
Permalink
Google Maps pseudonym disclosure vulnerability via Google Places reviews

Recently, Google Places (aka Yelp Lite :-P) got linked to G+ profiles.
This linkage has created a potentially serious privacy vulnerability.
To my knowledge it has not previously been disclosed; I know it thanks
to a tip from a concerned Google maps user.

So, first off, the integration isn't fully obvious; it's not listed on
the G+ about page. It is explicitly disclosed when you opt in to
reviews that it will be linked to your profile, just not always
obvious afterwards.

Consider for instance +103351126638314796068. His About page doesn't
list anything, which would seem to imply that he doesn't want his
reviews linked with his G+ profile (which has what is presumably his
legal name). However, if you go to
https://plus.google.com/local/*/s/by%3A103351126638314796068 (same ID
number) you'll find that he has reviewed +100712323888821655907.

(Although that personal reviews link _doesn't_ link to his G+ profile
directly, the restaurant's Page _does_ do so, and of course it's
intrinsic to the ID number in the URL.)

If you do a google search for the review text, you can see that at
least one third party site has already scraped it.

Now, this wouldn't be too bad by itself. It's a couple UI flaws, and
to my knowledge you can't get from here to what I'm about to talk
about, only the other way 'round.

However, suppose that instead you had started by looking at this map
of the West Coast Electric Highway:
https://maps.google.com/maps/ms?hl=en&gl=us&ie=UTF8&oe=UTF8&msa=0&msid=214874436355124459198.0004c15567ce4ce290f50

You can see that it was created by someone with the username _jimad_.
Click that, and you go to an anonymous Google Maps profile page, which
lists another two maps made by jimad… and what seems to be an
anonymous review of +100712323888821655907.

However, if you google the review text — or just click through the
restaurant's name — you can then search through the reviews, and see
that the writer of that review was in fact +103351126638314796068.


So to review, the improper disclosure — which is _not_ anywhere
consented to or explained to my knowledge — is that the Google Maps
profile _jimad_ belongs to _+103351126638314796068_. (TTBOMK you can't
get the reverse linkage; please let me know if not.)

In this case, that disclosure is relatively innocuous; knowing who has
mapped the West Coast Electric Highway isn't that big a deal.

Consider other cases, though, where the creator of a map may have a
significant privacy interest in their identity not being disclosed,
like this map of porn stores and churches on I-70, by Google Maps user
"Taylor" http://goo.gl/maps/7avuJ; or this map of Mumbai attacks by
user "Omar" http://goo.gl/maps/dKbcA. Both are currently safe — the
only thing disclosed is a separate name, and it's not linked to their
G+ profiles or legal names.

If either of them were to, say, review a restaurant, they would be
told and have the impression that the only link they are creating is
between their profile and the review. However, what they would also be
creating is a public link between their _maps_ and their profile, and
this isn't something they would've consented to.

This can be mitigated pretty easily: just patch the Google Maps
profile page to remove the reviews section, and/or make explicit the
linkage in the opt-in consent for Google Places.

However, it's already public, and the data's probably already been
scraped significantly, so at this point it can't be fully fixed.


I hope that the Google Maps, Places, & Plus teams take immediate
action to correct this before it results in a leak that hurts someone
— and thanks again to my anonymous informant for the tip.

- Sai

posted originally to:
https://plus.google.com/103112149634414554669/posts/F12kZrPrwm2 — look
for updates there, and +### are Google+ profile links

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


sai at saizai

Oct 19, 2012, 8:19 PM

Post #2 of 2 (127 views)
Permalink
Re: Google Maps pseudonym disclosure vulnerability via Google Places reviews [In reply to]

Update: the Maps team has fixed this issue using both of my suggested patches.

a) Reviews are no longer listed on Maps user profiles, thus removing
the forward link
b) Reviews are listed on G+ user profiles, thus making clear the disclosure.

Credit where credit is due.

- Sai

On Mon, Oct 1, 2012 at 6:04 PM, Sai <sai [at] saizai> wrote:
> Recently, Google Places (aka Yelp Lite :-P) got linked to G+ profiles.
> This linkage has created a potentially serious privacy vulnerability.
> To my knowledge it has not previously been disclosed; I know it thanks
> to a tip from a concerned Google maps user.
>
> So, first off, the integration isn't fully obvious; it's not listed on
> the G+ about page. It is explicitly disclosed when you opt in to
> reviews that it will be linked to your profile, just not always
> obvious afterwards.
>
> Consider for instance +103351126638314796068. His About page doesn't
> list anything, which would seem to imply that he doesn't want his
> reviews linked with his G+ profile (which has what is presumably his
> legal name). However, if you go to
> https://plus.google.com/local/*/s/by%3A103351126638314796068 (same ID
> number) you'll find that he has reviewed +100712323888821655907.
>
> (Although that personal reviews link _doesn't_ link to his G+ profile
> directly, the restaurant's Page _does_ do so, and of course it's
> intrinsic to the ID number in the URL.)
>
> If you do a google search for the review text, you can see that at
> least one third party site has already scraped it.
>
> Now, this wouldn't be too bad by itself. It's a couple UI flaws, and
> to my knowledge you can't get from here to what I'm about to talk
> about, only the other way 'round.
>
> However, suppose that instead you had started by looking at this map
> of the West Coast Electric Highway:
> https://maps.google.com/maps/ms?hl=en&gl=us&ie=UTF8&oe=UTF8&msa=0&msid=214874436355124459198.0004c15567ce4ce290f50
>
> You can see that it was created by someone with the username _jimad_.
> Click that, and you go to an anonymous Google Maps profile page, which
> lists another two maps made by jimad… and what seems to be an
> anonymous review of +100712323888821655907.
>
> However, if you google the review text — or just click through the
> restaurant's name — you can then search through the reviews, and see
> that the writer of that review was in fact +103351126638314796068.
>
>
> So to review, the improper disclosure — which is _not_ anywhere
> consented to or explained to my knowledge — is that the Google Maps
> profile _jimad_ belongs to _+103351126638314796068_. (TTBOMK you can't
> get the reverse linkage; please let me know if not.)
>
> In this case, that disclosure is relatively innocuous; knowing who has
> mapped the West Coast Electric Highway isn't that big a deal.
>
> Consider other cases, though, where the creator of a map may have a
> significant privacy interest in their identity not being disclosed,
> like this map of porn stores and churches on I-70, by Google Maps user
> "Taylor" http://goo.gl/maps/7avuJ; or this map of Mumbai attacks by
> user "Omar" http://goo.gl/maps/dKbcA. Both are currently safe — the
> only thing disclosed is a separate name, and it's not linked to their
> G+ profiles or legal names.
>
> If either of them were to, say, review a restaurant, they would be
> told and have the impression that the only link they are creating is
> between their profile and the review. However, what they would also be
> creating is a public link between their _maps_ and their profile, and
> this isn't something they would've consented to.
>
> This can be mitigated pretty easily: just patch the Google Maps
> profile page to remove the reviews section, and/or make explicit the
> linkage in the opt-in consent for Google Places.
>
> However, it's already public, and the data's probably already been
> scraped significantly, so at this point it can't be fully fixed.
>
>
> I hope that the Google Maps, Places, & Plus teams take immediate
> action to correct this before it results in a leak that hurts someone
> — and thanks again to my anonymous informant for the tip.
>
> - Sai
>
> posted originally to:
> https://plus.google.com/103112149634414554669/posts/F12kZrPrwm2 — look
> for updates there, and +### are Google+ profile links

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.