Gmail Reveals the Names of All Users

ihatespam writes "Have you ever wanted to know the name of admin@gmail.com? Now you can. Through a bug in Google calendars the names of all registered Gmail accounts are now readily available. All you need to find out the names of any gmail address is a Google calendar account yourself. Depending on your view this ranges from a harmless "feature" to a rather serious privacy violation. According to some reports, spammers are already exploiting this "feature"/bug to send personalized spam messages."

Re:This only punishes the foolish

[Zymergy]

Ditto.
Since all names are really all about pretense, I set up mine on Gmail as "firstnamelastname@gmail.com" (Where 'firstname' and 'lastname' are my actual names.
I think there are only eight or ten other people in the US with my same spelled the same anyway. Regardless, I think Gmail's spam filters have only let a couple of false negatives into my Inbox.
*THIS* is why I use very different passwords for web mail as say, my banking or credit report service passwords, etc... If the password file were to be breached, I would only have one to change.
I suggest a good password management app such as this one: http://passwordsafe.sourceforge.net/

Re:This only punishes the foolish

[Drakonik]

False. For GMail, dots are invisible in regards to who receives the email. Emails sent to foobar@gmail.com and foo.bar@gmail.com and f.o.o.b.a.r@gmail.com all go to the same address. Messages sent to foo.bar@gmail.com don't go to bar@gmail.com.

Re:This only punishes the foolish

[pha7boy]

you are incorrect. john.richards@gmail.com send mail to johnrichards@gmail.com not to richards@gmail.com. Stripping the punctuation means gmail ignores it, not kills off the first part.

what you are talking about is using + in your email address: see here Google Blog

Re:Is it really that big of a deal?

[Motherfucking+Shit]

If I was worried about privacy with my gmail account, google wouldn't have my actual name to have the ability to give it out.

That's all well and good until you decide to start using actual Google services (Checkout, AdSense, AdWords, and the like). It's possible to do these things with a non-GMail email address, but you have to create a Google account anyway, so I'd venture to say most folks use their GMail address if they already have one.

Re:This only punishes the foolish

[antek9]

Correct. Gmail explains it this way (try sending an e-mail to yourself, putting in some dots, and you'll of course receive it yourself, with a small link in the header next to the recipient address (appropriately named, 'yes, this is you'):

Sometimes you may receive a message intended for someone whose address resembles yours but has a different number or placement of dots. For example, your address might be homerjsimpson@gmail.com, but the message was sent to a Homer.J.Simpson@gmail.com. What's going on?

Gmail allows only one registration for any given username. Once you sign up for a particular username, any dot or capitalization variations are made permanently unavailable for new registration. If you created yourusername@gmail.com, no one can ever register your.username@gmail.com, or Your.user.name@gmail.com. Furthermore, because Gmail doesn't recognize dots as characters within usernames, adding or removing dots from a Gmail address won't change the actual destination address. Messages sent to yourusername@gmail.com, your.username@gmail.com, and y.o.u.r.u.s.e.r.n.a.m.e@gmail.com are all delivered to your inbox, and only yours.

If you're homerjsimpson@gmail.com, no one owns Homer.J.Simpson@gmail.com, except for you. Sending mail to Homer.J.Simpson@gmail.com is the same as sending mail to homerjsimpson@gmail.com, or even HOMERJSIMPSON@GMAIL.COM. If you're getting mail addressed to Homer.J.Simpson@gmail.com, most likely someone was trying to send a message to Homer.J.Sampson@gmail.com, or Homer.J.Simpson1@gmail.com, and made a mistake. You might even get messages from mailing lists or website registrations because the intended recipient accidentally provided the wrong email address. In these cases, we suggest contacting the original sender or website when possible to alert them to the mistake.

For security reasons, when you log in to Gmail, you must enter any dots that were originally defined as part of your username.

Note: Google Apps recognizes dots. If you'd like to receive mail with a dot in your username, please ask your domain administrator to add the desired username as a nickname.

Re:Is This Evil?

[dhavleak]

Sure, it's an unfortunate bug. Yes, the spam has potential to annoy--but it's spam; would you even notice a few more in the spam box?

It's more serious than that. Once the spammers know your name they can construct more personalized messages which has two implications:
- Increased chance of success in a social engineering attack.
- Better chance of fooling a spam filter.

If you're the kind of person who emails others without disclosing your real name, why would you give your real name to the email provider?

Spammers don't wait for you to email them. They buy lists of email addresses in bulk. For this particular vulnerability, they can even use a random generator and just keep track of the hits when adding appointments to the calendar.

Unless I'm a spambot, I'm not going to sit down and type out random strings of words and numbers to find out the name data on some arbitrary addresses. Whether it's Hotmail or Yahoo or Gmail doesn't matter here.

Assume you are a spambot then -- that's what TFA is about -- a security vulnerability in Gmail that spammers can take advantage of. Spammers are usually interested in creating spambots.

I don't know where OP's question about "evilness" comes in. Google deserves the benefit of doubt (about this being an honest mistake) as long as they fix it, rather than issuing some BS reason not to.

Re:This only punishes the foolish

[The+Clockwork+Troll]

Check the message headers. Probably, the envelope recipient (SMTP RCPT To) was your account and the header "To:" was the address you don't own.