Wave wasn’t the only Google service to be opened up to the public this week, as Google has now lifted its invite only restriction on its popular Google Voice service. It’s still only available to residents of the United States, but now the only thing standing between you and: free calls, free SMS messages (to anywhere in the U.S. and Canada), voice mail transcripts, and having one number for all of your phones is logging into voice.google.com with your Google account and picking out a number. More →
Holy crap. It seems that Google is going to have some pretty serious explaining to do this morning, as one of our readers has sent us in a tip that reveals a major security flaw involving Google Voice. After entering “site:https://www.google.com/voice/fm/* ” into Google, our reader was shocked and discouraged to be greeted by 31 voice mail messages belonging to random Google Voice accounts. Clicking on each revealed not only the audio file and transcript of the call, but it also listed the callers name and phone number as it would if you were checking your own Google Voice voice mail. We’re not too sure if this flaw is something new or if it has been around since Google Voice started, and could just be test messages, but needless to say the matter has to be fixed if it’s legit. Some censored screenshots are after the jump.
UPDATE: It seems as if these voicemails have been publicly posted/shared online and Google indexes them. Here’s official word:
“Since the initial idea behind posting a voicemail, was precisely to share it with others, we did not restrict crawling of those messages that users post on the web, but we can certainly understand that users would want to make them public on their sites but not necessarily searchable directly outside of their own website. We made a change to prevent those to be crawled so only the site owner can decide to index them.”