A bug found in the Google Calendars beta exposes the real
name of anyone registered with a Gmail account.
Originally
posted at the Securiteam blog, the bug allows anyone with a Google Calendar
account to reveal other Gmail account holders’ (registered) real names simply by
hitting the “back” button after sending an invite.
Internal testing by DailyTech
finds that the bug is still active at the time of this writing.
Worse, reveals Canadian blogger Holden Karau, is that the
bug works for any account in Gmail’s system, including private Gmail accounts
operating under other domains.
“Perhaps something for universities considering outsourcing
their mail to consider,” writes Karau.
While Google Calendars will not reveal an invited e-mail
addresses’ name when first entered in the invite screen, going back to the page
after navigating away will refresh the list, displaying Gmail accounts
alongside that user’s registered real name.
User response on Slashdot ranged from sarcastic to somewhat concerned:
“The person(s) responsible for this bug is going to have a
nice and very uncomfy meeting with their supervisor very soon...” said
commenter Shados.
“..after which exercise balls (in lieu of the usual chair)
will be thrown in a fit of unbridled anger,” replied Game Kid.
“Several tech websites will report a mysterious colorful
stream of balls spilling out the Google offices,” he added.
The bug reveals an unfortunate side to the beta-happy Web 2.0
world that the internet currently enjoys: while users get to play out with
software “before it’s ready” – even though Google has a reputation for keeping
software in beta for prolonged periods of time – sometimes incomplete,
untested, or poorly-thought-out features can be implemented before they are
ready. More concerning, however, is the fact that, in this case, bugs from a
younger application like Google Calendar have spilled out to affect users of a
much older, more mature application like Gmail.
“This is exactly why I remain leery of applications in the
cloud,” said Slashdot commenter gamanimatron.
Anecdotal reports indicate that spammers are already exploiting
the Calendar bug in phishing attempts, harvesting users’ names in order to send
them personalized e-mails.
Update 07/17/2008: A Google representative told DailyTech that the company does not consider the bug a security vulnerability. Rather, it was a feature originally incorporated "make it easier to send Calendar invites to Gmail users." Regardless, Google says it is "currently taking steps to remove it."