News >> Browse Articles >> Google
News >> Browse Articles >> Security
News >> Browse Articles >> Software & Web Development
Google Calendar Flaw Exposes Real Names of Gmail Users
Featured Author:
DailyTech
DailyTech is a leading online magazine for a well-educated, tech audience. Its readers enjoy hard-hitting and up to the minute CE, PC, IT and information technology news. DailyTech’s fast-moving content also reaches out via news syndications, public portals, and forums.
Tom Corelis / DailyTech
July 17, 2008
‘Exploit reveals the ugly side of keeping data in the cloud.’ -
A bug found in the Google Calendars beta exposes the real name of anyone registered with a Gmail account.
Originally posted at the Securiteam blog, the bug allows anyone with a Google Calendar account to reveal other Gmail account holders’ (registered) real names simply by hitting the “back” button after sending an invite.
Internal testing by DailyTech finds that the bug is still active at the time of this writing.
Worse, reveals Canadian blogger Holden Karau, is that the bug works for any account in Gmail’s system, including private Gmail accounts operating under other domains.
“Perhaps something for universities considering outsourcing their mail to consider,” writes Karau.
While Google Calendars will not reveal an invited e-mail addresses’ name when first entered in the invite screen, going back to the page after navigating away will refresh the list, displaying Gmail accounts alongside that user’s registered real name.
User response on Slashdot ranged from sarcastic to somewhat concerned:
“The person(s) responsible for this bug is going to have a nice and very uncomfy meeting with their supervisor very soon…” said commenter Shados.
“..after which exercise balls (in lieu of the usual chair) will be thrown in a fit of unbridled anger,” replied Game Kid.
“Several tech websites will report a mysterious colorful stream of balls spilling out the Google offices,” he added.
The bug reveals an unfortunate side to the beta-happy Web 2.0 world that the internet currently enjoys: while users get to play out with software “before it’s ready” – even though Google has a reputation for keeping software in beta for prolonged periods of time – sometimes incomplete, untested, or poorly-thought-out features can be implemented before they are ready. More concerning, however, is the fact that, in this case, bugs from a younger application like Google Calendar have spilled out to affect users of a much older, more mature application like Gmail.
“This is exactly why I remain leery of applications in the cloud,” said Slashdot commenter gamanimatron.
Anecdotal reports indicate that spammers are already exploiting the Calendar bug in phishing attempts, harvesting users’ names in order to send them personalized e-mails.
Google was not immediately available for comment.
© 2008, DailyTech
MikeD
about 1 year ago
866 comments
Thanks Google, that's really helpful.
kamalcola
about 1 year ago
2 comments
Scary situation and perhaps put you in defines and recovery status.
mybellegirls
about 1 year ago
2 comments
certainly play status - yet some companies out there use G apps for their corporate email -- perhaps they'll think twice once they catch on......
czar
about 1 year ago
252 comments
LOL... I always thought Google mail was a "Play" mail account, thats why I have my own domain, and a security concious website provider, I direct who see what. Play accounts shouldnt have any identifying information......jeeze
NMc
about 1 year ago
2144 comments
omg