Google Voice Mails Found In Public Search Engine

bonch writes "Google Voice Mails have been discovered in Google's search engine, providing audio files, names, and phone number as if you were logged in and checking your own voice mail. Some appear to be test messages, while others are clearly not. Google has since disabled indexing of voice mails outside your own website."

I dont want to listen to my voice mails

[lyquidevil]

and dont really care if you do. But bad move google.

User action?

[jbohumil]

This doesn't sound like a bug or leak, more like some users set up links or otherwise made their messages public.

Re:User action?

Exactly.

IMHO, totally a non-issue: google doesn't spider their own service, but if you post links to your voice mail on a public page with a permissive robots.txt, it gets spidered and shows up in search results with them or anyone else.

I completely get why Google is now removing these from search results -- they must be seen to be fixing this before it blows up as a scandal -- but shouldn't this sort of media panderage qualify as the evil they purportedly "don't be"? You'd think they're big enough to stand up and enlighten morons about robots.txt specifically, and about the general truth that when you post something on the internet, it's there forever.

Re:User action?

[geekboy642]

You speak facetiously, of course, but spending the time and effort to setup your own email server is a very valuable exercise. And at the end, you get an email account with no limits. Want ridiculously tight spam filters? Easy. Want to send and receive 1GB email attachments? Your insanity can be catered to.

And best of all, nobody is sitting there watching all of your emails and serving you ads based on what you're emailing about.

Re:User action?

[E+IS+mC(Square)]

Right on. Here is what Google says: http://www.google.com/support/forum/p/voice/thread?tid=7625b775a05e9401&hl=en

Re:User action?

[antifoidulus]

if 99.999% downtime would have been acceptable

Some people have such high standards, I mean jeez the server was functional for 8.64 seconds today, isn't that enough?

Re:User action?

[antifoidulus]

Actually it was 86.4 milliseconds, but when you are only expecting .0001% uptime, you cannot expect your service provider to be able to do arithmetic :P

Re:User action?

[Omnifarious]

The obscurity in this case happens to be a random number that's at least 100 bits long if not a lot longer. Sure I could guess that, but I could guess your 128 bit symmetric cipher key too.

No, what happened here is that people used this extremely obscure URL to provide public links to their voicemail messages and google happily indexed those links. And, you know, when you publicize links to things, they show up in search engines.

Now, google could additionally require authorization before letting people have access to those links, but the way you find out what the big long random number is is by clicking on something saying something along the lines of "I want to share this voicemail with someone." which means that you want someone other than yourself to have access to it. Making the link require authorization to get to would completely defeat the purpose of sharing it with someone.

No, in my opinion, what google should do is have a per-voicemail switch that lets you decide whether or not the public sharable link works or not. Then you can share the link with a friend, and when you want to close up access so your friend can't share the link with their friend or post it on the internet or whatever, you click on the little check box and the link stops working.

Voicemails that you schedule for deletion should become private by default when they hit the trash can.

Natural Language Processing Needs Work

[eldavojohn]

Looks like they got my message to Steve Ballmer.

Article is already updated

[vxvxvxvx]

UPDATE: It seems as if these voicemails have been publicly posted/shared online and Google indexes them. Here’s official word:

“Since the initial idea behind posting a voicemail, was precisely to share it with others, we did not restrict crawling of those messages that users post on the web, but we can certainly understand that users would want to make them public on their sites but not necessarily searchable directly outside of their own website. We made a change to prevent those to be crawled so only the site owner can decide to index them.”

Re:Article is already updated

[Mr.Bananas]

At around 10am, a comment on the same page linked by OP revealed what the parent has pointed out, and even linked to a GV forum post explaining as much.

And yet, at 5pm, Slashdot posts this as news...

Re:Article is already updated

[Beardo+the+Bearded]

Common. I remember when Beenz did that for a grand prize, and someone found the URL and claimed the prize. They got the equivalent of $500USD in Beenz.

Younger readers are wondering, "what the fuck are Beenz?".

If it's out there

[El_Muerte_TDS]

Like everything on the internet, if it's public, a web-spider will find it (eventually). But I'm seriously impressed by the speech-to-text engine Google uses, quite nice.

The Real Problem is ...

[itzfritz]

The real problem, IMO, is that Google Voice voicemails are world-readable to begin with. The only security is the URL scheme. If that can be reverse engineered, the privacy of all google voice users will be in danger. (fyi I have tested this myself. The url scheme is "https://www.google.com/voice/fm/20-digit account id/long b64 encoded binary string", and these urls can be viewed by unauthenticated users. Note the use of https; while no man in the middle will read my voicemail, the man on one end can ;)