Phone Number Privacy? We don’t do that here: Google Hangout Call!

Avinash Jain (@logicbomb)
4 min readMay 28, 2020

--

Work-from-home culture slowly becoming a norm

With work-from-home culture slowly becoming a norm, IT companies around the globe are bringing in various new developments in its team engagement tools to cater to such needs and also to compete with every increasing popularity of Zoom.

Zoom which has recently come under the radar with hackers exploiting various misconfiguration in their tool and hence shifting the concerns towards their loosely tied security and privacy control measures. While Zoom is being highly criticized for all the security concerns that are being highlighted, other platforms such as Google Meet, Microsoft Skype, etc are using this opportunity to promote their product. Recently Google has announced its Google Meet, google premium video conferencing product, free for everyone.

While many businesses and organizations facing the need to support remote employees, looking for help familiarizing themselves with digital tools to maintain productivity, one of the Google Tools, Hangouts still retains the branding as we have known it for a long time.

This is a messaging app that you can use to connect with friends, family, and colleagues. You can do text messages, video calls, and voice calls. Much like WhatsApp. The thing is, Hangouts is preloaded in a lot of Android phones. Hangouts users could make free phone calls to other Hangouts users over the web, as well as free voice calls to any number in the U.S. or Canada.

Google Hangout call exposing your phone number to the world! Recently, I was trying to use hangout call service, and what seems one of the basic “security practices” was altogether missing. Haven’t we all read this or come across — Information exposure through query strings in URL, how dangerous can be the use of GET Request Method with sensitive query strings? OWASP clearly outlines this and yet it was missing here. When I tried calling using Google Hangout, I could see the mobile number of the recipient going in URL query string.

Mobile Number via the query string

Now it was just a matter of just putting a single google dork query (Google advanced search query) over search bar to list down all search queries being indexed and cached by search engines(Unless you have set protection and blocking over indexing of pages with query strings).

A simple google query listed more than thousands of mobile numbers being exposed over the internet due to the weak and insecure implementation in the Google Hangout Calling feature.

At the bottom of the above screenshot, you can see a mobile number being exposed (just for POC, I hovered my selection over one of the result sets). Things didn't stop here, I tried searching for the same using OSINT and found there are around 18,000 hangout URLs being indexed by search engines exposing thousands of more mobile number of users over the internet.

It was reported to Google Security Team through their Bug Bounty Program and it seems not to be a privacy issue for them. They are fine with exposing mobile numbers of users over the internet and also not concerned about removing the already exposed data.

Probably it’s mindful to follow what should be followed

If you are using the GET method carrying any sensitive data in query strings, you should immediately change the implementation to POST or direct your webmaster to not crawl it. https://support.google.com/webmasters/answer/6080548?hl=en&visit_id=637258271005597566-2139483329&rd=1

and if you think it can be protected by blocking it in robots.txt then you might be wrong. Here is what John(Webmaster Trends Analyst at Google) has to say and recommendation —

--

--

Avinash Jain (@logicbomb)
Avinash Jain (@logicbomb)

Written by Avinash Jain (@logicbomb)

Security Engineer @Microsoft | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes, BBC| Acknowledged by Google, NASA, Yahoo, UN etc

Responses (1)