Slashdot Mirror
Gmail Reveals the Names of All Users
ihatespam writes "Have you ever wanted to know the name of admin@gmail.com? Now you can. Through a bug in Google calendars the names of all registered Gmail accounts are now readily available. All you need to find out the names of any gmail address is a Google calendar account yourself. Depending on your view this ranges from a harmless "feature" to a rather serious privacy violation. According to some reports, spammers are already exploiting this "feature"/bug to send personalized spam messages."
Ditto.
Since all names are really all about pretense, I set up mine on Gmail as "firstnamelastname@gmail.com" (Where 'firstname' and 'lastname' are my actual names.
I think there are only eight or ten other people in the US with my same spelled the same anyway. Regardless, I think Gmail's spam filters have only let a couple of false negatives into my Inbox.
*THIS* is why I use very different passwords for web mail as say, my banking or credit report service passwords, etc... If the password file were to be breached, I would only have one to change.
I suggest a good password management app such as this one: http://passwordsafe.sourceforge.net/
False. For GMail, dots are invisible in regards to who receives the email. Emails sent to foobar@gmail.com and foo.bar@gmail.com and f.o.o.b.a.r@gmail.com all go to the same address. Messages sent to foo.bar@gmail.com don't go to bar@gmail.com.
you are incorrect. john.richards@gmail.com send mail to johnrichards@gmail.com not to richards@gmail.com. Stripping the punctuation means gmail ignores it, not kills off the first part.
what you are talking about is using + in your email address: see here Google Blog
-- All this knowledge is giving me a raging brainer.
If I was worried about privacy with my gmail account, google wouldn't have my actual name to have the ability to give it out.
That's all well and good until you decide to start using actual Google services (Checkout, AdSense, AdWords, and the like). It's possible to do these things with a non-GMail email address, but you have to create a Google account anyway, so I'd venture to say most folks use their GMail address if they already have one.
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
A World in a Grain of Sand / Heaven in a Wild Flower,
Infinity in the Palm of your Hand / And Eternity in an Hour.
Sure, it's an unfortunate bug. Yes, the spam has potential to annoy--but it's spam; would you even notice a few more in the spam box?
It's more serious than that. Once the spammers know your name they can construct more personalized messages which has two implications:
- Increased chance of success in a social engineering attack.
- Better chance of fooling a spam filter.
If you're the kind of person who emails others without disclosing your real name, why would you give your real name to the email provider?
Spammers don't wait for you to email them. They buy lists of email addresses in bulk. For this particular vulnerability, they can even use a random generator and just keep track of the hits when adding appointments to the calendar.
Unless I'm a spambot, I'm not going to sit down and type out random strings of words and numbers to find out the name data on some arbitrary addresses. Whether it's Hotmail or Yahoo or Gmail doesn't matter here.
Assume you are a spambot then -- that's what TFA is about -- a security vulnerability in Gmail that spammers can take advantage of. Spammers are usually interested in creating spambots.
I don't know where OP's question about "evilness" comes in. Google deserves the benefit of doubt (about this being an honest mistake) as long as they fix it, rather than issuing some BS reason not to.
just create any calender entry (single click on an empty field) with just the gmail address in the main 'What:' field, select 'don't send' and open it up (double click)... there you see the full user name of the gmail account.
;)
Not sure why the article makes it so complicated...
So the admin@gmail.com guy is named 'smart ass'... poor fellow
You may have been given a book that does name->phone-number lookups for those who have not chosen to opt out but I believe that it is very much harder to get access to the inverse function that does phone-number->name lookups. I suspect that it varies by jurisdiction but I believe that in some places at least, people can be in serious trouble for giving access to the database that performs that function to those who do not have the proper authorization.
Those who are familiar with security will know the concept of work-factor. You can reverse lookup with a phone book but if all you have is a printed copy it is a lot of work. The cost of doing that work is the deterrent. Modern technology has made it easier, but it is still costly. The idea is to adjust the cost/benefit ratio so that an attack is not worthwhile.
The concern for the revealing of names from addresses is that it makes it cheaper for confidence tricksters to deliver some plausible message that will trick people into giving them some of their money. If the average cost of creating the plausible message becomes less than the expected return then the level of scamming will increase. Those of us not taken in by the tricksters will still suffer from increased level of junk so it is in all our interests to take this kind of thing seriously.
Check the message headers. Probably, the envelope recipient (SMTP RCPT To) was your account and the header "To:" was the address you don't own.
There are no karma whores, only moderation johns
Actually there is another feature of Gmail that was advertised through their blog. And it states that me+nospam@gmail.com is directed to me@gmail.com
So basically all the characters after the + sign (including it) in the email address is stripped to determine to receiver. You will see that the email has been sent to me+nospam@gmail.com and then can filter on it. If used intelligently, it can tell you which site is selling your email address to other 3rd party companies.