Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Google Maps pseudonym disclosure vulnerability via Google Places reviews
From: Sai <sai () saizai com>
Date: Fri, 19 Oct 2012 20:19:22 -0700

Update: the Maps team has fixed this issue using both of my suggested patches.

a) Reviews are no longer listed on Maps user profiles, thus removing
the forward link
b) Reviews are listed on G+ user profiles, thus making clear the disclosure.

Credit where credit is due.

- Sai

On Mon, Oct 1, 2012 at 6:04 PM, Sai <sai () saizai com> wrote:
Recently, Google Places (aka Yelp Lite :-P) got linked to G+ profiles.
This linkage has created a potentially serious privacy vulnerability.
To my knowledge it has not previously been disclosed; I know it thanks
to a tip from a concerned Google maps user.

So, first off, the integration isn't fully obvious; it's not listed on
the G+ about page. It is explicitly disclosed when you opt in to
reviews that it will be linked to your profile, just not always
obvious afterwards.

Consider for instance +103351126638314796068. His About page doesn't
list anything, which would seem to imply that he doesn't want his
reviews linked with his G+ profile (which has what is presumably his
legal name). However, if you go to
https://plus.google.com/local/*/s/by%3A103351126638314796068 (same ID
number) you'll find that he has reviewed +100712323888821655907.

(Although that personal reviews link _doesn't_ link to his G+ profile
directly, the restaurant's Page _does_ do so, and of course it's
intrinsic to the ID number in the URL.)

If you do a google search for the review text, you can see that at
least one third party site has already scraped it.

Now, this wouldn't be too bad by itself. It's a couple UI flaws, and
to my knowledge you can't get from here to what I'm about to talk
about, only the other way 'round.

However, suppose that instead you had started by looking at this map
of the West Coast Electric Highway:

You can see that it was created by someone with the username _jimad_.
Click that, and you go to an anonymous Google Maps profile page, which
lists another two maps made by jimad… and what seems to be an
anonymous review of +100712323888821655907.

However, if you google the review text — or just click through the
restaurant's name — you can then search through the reviews, and see
that the writer of that review was in fact +103351126638314796068.

So to review, the improper disclosure — which is _not_ anywhere
consented to or explained to my knowledge — is that the Google Maps
profile _jimad_ belongs to _+103351126638314796068_. (TTBOMK you can't
get the reverse linkage; please let me know if not.)

In this case, that disclosure is relatively innocuous; knowing who has
mapped the West Coast Electric Highway isn't that big a deal.

Consider other cases, though, where the creator of a map may have a
significant privacy interest in their identity not being disclosed,
like this map of porn stores and churches on I-70, by Google Maps user
"Taylor" http://goo.gl/maps/7avuJ; or this map of Mumbai attacks by
user "Omar" http://goo.gl/maps/dKbcA. Both are currently safe — the
only thing disclosed is a separate name, and it's not linked to their
G+ profiles or legal names.

If either of them were to, say, review a restaurant, they would be
told and have the impression that the only link they are creating is
between their profile and the review. However, what they would also be
creating is a public link between their _maps_ and their profile, and
this isn't something they would've consented to.

This can be mitigated pretty easily: just patch the Google Maps
profile page to remove the reviews section, and/or make explicit the
linkage in the opt-in consent for Google Places.

However, it's already public, and the data's probably already been
scraped significantly, so at this point it can't be fully fixed.

I hope that the Google Maps, Places, & Plus teams take immediate
action to correct this before it results in a leak that hurts someone
— and thanks again to my anonymous informant for the tip.

- Sai

posted originally to:
https://plus.google.com/103112149634414554669/posts/F12kZrPrwm2 — look
for updates there, and +### are Google+ profile links

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]