Raw Thought

by Aaron Swartz

Google Voice Security Flaw

Google Voice allows you to get a new telephone number (a “Google Voice number”) and when people dial that number, Google will patch the call through to your various other phones. That way you can give people one phone number and it will ring your home phone, your cell phone, your work phone. (Apparently this is a service for people who still have home and work phones.)

It now requires new phones to go through a verification process to be added to that list, but I believe that phones that were added back when Google Voice was GrandCentral (Google bought it) are carried over and never required verification.

You can also create rules for which phones ring. I set mine up so that if the callbox at our apartment calls the Google Voice number (i.e. someone is trying to get into the apartment), it rings both me and my roommate. Otherwise it just rings me.

Now here’s the odd thing: when my roommate texts someone with a Google Voice number (or vice versa), their SMS chats show up in my Google Voice account. It took me a long time to figure out what was going on — at first it just looked like other people’s SMS chats were just appearing in my inbox. But it now seems clear that Google Voice looks at the phone number of incoming SMSes and, if it’s attached to an account, stores the SMSes in that account.

I suppose one should trust their roommate, but I think people should be aware of this issue nonetheless.

You should follow me on twitter here.

August 25, 2009


You might try checking your roommate’s phone number settings in your Google Voice account. If it is set as a Mobile number you could try clicking Edit, and turning off the “Receive SMS on this phone”. I don’t know if that would correct this problem, but it is worth a shot.

posted by Jason McPheron on August 25, 2009 #

I’m not worried for my own sake; I’m worried for my roommates. That I could take measures to keep from looking at her texts doesn’t address the basic security issue: that I can look at her texts.

posted by Aaron Swartz on August 25, 2009 #

ooooh that explains it.

posted by quinn on August 26, 2009 #

I wouldn’t truly call this a security flaw, as this is one of the core features of Google Voice. As GV is designed to receive SMS messages without the need for a mobile device to receive the messages, they must be stored on the account.

If you are both worried about it, the only course of action is to correct those sending SMS messages to the GV number by having them send directly to the mobile device.

posted by Brent Mullen on August 26, 2009 #

They should be stored in the account of the person they’re sent to, not some-account-that-might-be-plausibly-related-to the sender.

posted by Aaron Swartz on August 26, 2009 #

Ah, after a careful re-read I think I see what you are saying. I might have to play around with that a bit.

posted by Brent Mullen on August 26, 2009 #

You can also send comments by email.

Email (only used for direct replies)
Comments may be edited for length and content.

Powered by theinfo.org.