35m Google Profiles dumped into private database

[security curmudgeon <jericho () attrition org>]

http://www.theregister.co.uk/2011/05/25/google_profiles_database_dump/

35m Google Profiles dumped into private database
Easy as pie
By Dan Goodin in San Francisco
Posted in ID, 25th May 2011 23:33 GMT

Proving that information posted online is indelible and trivial to mine, 
an academic researcher has dumped names, email addresses and biographical 
information made available in 35 million Google Profiles into a massive 
database that took just one month to assemble.

University of Amsterdam Ph.D. student Matthijs R. Koot said he compiled 
the database as an experiment to see how easy it would be for private 
detectives, spear phishers and others to mine the vast amount of personal 
information stored in Google Profiles. The verdict: It wasn't hard at all. 
Unlike Facebook policies that strictly forbid the practice, the 
permissions file for the Google Profiles URL makes no prohibitions against 
indexing the list.

What's more, Google engineers didn't impose any technical limitations in 
accessing the data, which is made available in an extensible markup 
language file called profiles-sitemap.xml. The code he used for the 
data-mining proof of concept is available here.

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/