doctorow at March 31st, 2014 13:04 — #1
chanfan at March 31st, 2014 13:12 — #2
He recorded calls? How the heck is he planning to escape jail? Seems to me many other security flaw researchers have done much less and been prosecuted…
jhbadger at March 31st, 2014 13:18 — #3
Exactly. It's one thing to point out that something like that can be done and another to actually do it. Recording calls (especially to a Federal agency) is a serious legal matter even if it wasn't done maliciously.
glyphgryph at March 31st, 2014 13:48 — #4
Our government has made it clear that such a thing is only a "serious legal matter" if someone gets taken by a whim and decides to make an example of you, rather than being a "real" legal issue that law enforcement should really worry about, you know? I mean, it's not like this guy was listening to the calls - he was only really collecting metadata, you know. And he didn't target anyone in particular, nor did he target everyone, so it's okay.
That said, yeah, this guy is asking to be thrown under the bus.
jonathanpeterso at March 31st, 2014 15:04 — #5
I didn't realize this was a real thing. I'd always assumed crap results in the google maps, were just crap, fly-by-night companies that I didn't want to do business with anyway. It's not like spammers are spending time creating a custom photo and real website and significant numbers of customer reviews is it?
thekaz at March 31st, 2014 15:36 — #6
But.. but.. for a couple days, at least, you can use Google Maps to catch Pokemon!
jhbadger at March 31st, 2014 15:54 — #7
I hadn't heard of it either -- but a bit of searching indicates that crooked locksmith firms in particular have been doing what Cory encountered with Google Maps for years. I guess it works better with things like locksmiths and tow trucks because not hearing about the firm until you tried to use them would be pretty common.
thorzdad at March 31st, 2014 16:13 — #8
It's interesting to note that the enabling culprit here is Google Places, which has long been an opening for all sorts of mischief, entire due to the ridiculous manner in which its set-up.
A couple of years ago, a client of mine discovered that a Google Places page existed for their business (an adoption agency) even though they had never created a GP page. They also discovered that the page had an incorrect phone number. Calling that number got you through to the actual agency phone number, but there was an obvious delay in connecting.
They investigated and discovered that a marketer they had worked with had taken it upon themselves to create the GP page (Yes, under Google Places, you don't have to own the business to start a GP page for it.) The phone number rang into the marketer's office, then re-routed to the adoption agency. They were told it was just to measure phone traffic from the GP page, but, obviously, they could well have recorded conversations if they wanted.
The agency went and created their own GP page (with the correct info, phone number, etc.) but, the way Google Places works is if there are competing pages for the same business, the data will slowly become blended, and somehow the "real" information wins out. It's nuts. Even after the marketer took down his GP page, the two GP pages remained blended for several months until the real page won.
daemonworks at March 31st, 2014 16:39 — #9
Nothing here really constitutes an attack against Google Maps, or any other Google service for that matter. It's just a demonstration of the sort of stuff you can do with them as currently provided.
Using powertools to convert your truck into a tank a-team style isn't an attack on the hardware store.
Might lead to one though.
nadreck at March 31st, 2014 17:51 — #10
Just goes to show that this new-fangled Google stuff is no replacement for your good'ol, reliable Yellow Pages!
micah at March 31st, 2014 19:50 — #11
I have a friend whose home phone number and building street address (but not apartment number) somehow ended up associated with the embassy of an African nation.
It now shows up in Google Maps, Citysearch and Yahoo Local, but also in Superpages.com, Dexknows.com, Yellowpages.com, Switchboard.com and other phone directory sites. I haven't seen a physical phone book to see if it's listed there, too. The friend has absolutely no idea how his info came to be associated with the country in question.
caitifty1 at March 31st, 2014 19:59 — #12
Well, google maps has always sucked quite badly at producing decent results for nearby relevant businesses, so much so that yelp is better (and given how much yelp sucks, that's saying quite something). Just yesterday I was trying to find an excellent seafood market about a mile from my house whose name I'd blanked on - google maps spat up all kinds of random diners and places like trader joes, but never the market in question. I finally found it using yelp, then just to test, typed the name of the place (which includes the words 'seafood' and 'market') into google maps which promptly displayed it (so they had it in their database). Kind of odd given how good their regular search is.
boundegar at March 31st, 2014 20:51 — #13
Oh no, that's not true. Merely pointing out the security hole gets you prosecuted now.
blissfulight at March 31st, 2014 21:45 — #14
He went to the Secret Service and demonstrated the exploit to them, after it got some traction on Mike's blog. It certainly got theirs and Google's attention.
jack_n_fran_far at March 31st, 2014 23:15 — #15
Microsoft is performing a valuable (red team) service to the g+ design team. Hopefully, Maps will be the next Google service to be put behind Google encrypt everything wall and phishers, cookie pushers and other malefactors masquerading as advertisers will get the same treatment.
mouse_the_lucky at April 1st, 2014 04:58 — #16
While I am bothered by Google's lack of security, I have to ask why Microsoft is tasking experienced engineers with breaking into Google services instead of fixing their own holes which even a ten year old could go through?
blissfulight at April 1st, 2014 14:59 — #17
Bryan doesn't work for Microsoft.
blissfulight at April 1st, 2014 15:00 — #18
No one at Microsoft is breaking into Google's services. Bryan doesn't work for Microsoft.
doctorow at April 5th, 2014 13:04 — #19
This topic was automatically closed after 5 days. New replies are no longer allowed.