Hello,
so about 1 and a half years ago I thought I found a sort of vaunerability with google maps and over the following months investigateted it further I will go into more details in a secound and would like a discussion and hear your thoughts but mainly I would like to have you informed about this issue because it could affect youreself.
If I have spelling mistakes or my grammar is wrong please correct me English isn't my native language.
I will update this Topic with mor detailed information when I get all of my notes together ^^
The "vulnerability"
First of all I asked 2 companys which sad it isn't eligable for bug bounty so please don't spam random Companys with this article -thx
When you are googleing a company or a location google will normaly show you the Google Buisness information that they gathered by helpful locals or websites so google is able to display the Information to you.
The Problem is that (at least in my county Germany and I think in others as well) Buisnisses don't claim there Buisness on Google, that leads to the problem that -someone- could enter false Information. To be fair depending on how drastic your changes are to the data that google shows more people will have to report or confirm that information. I don't know how to programm a bot who could do that, but I have had time so I tried how much you could change and found this:
Change the Telephone number by 1 number:
1 User
Change the thelephone number by 2 numbers:
1 User (sometimes 2)
Change the telephone number by more than 2 numbers:
Changes drasticly from buisness to buisness but arround 10 Users with local guide or 18 without
To change the website I think arround 5 Users have to say the same thing and the website has to have the buisness information.
-I didn't focus on this as much as on the thelephone number why will be described in a secound.
The Problem with chainging the telephone number:
When a telephone number is active on a location/ buisness it takes about [2-8] months for the Claim your buisness function to accept verivication by telephone again.
A Person with malishes intend could use a telephone numer and send every incoming call automaticly back to the original number so noby would notice that this would be the wrong number
NOBODY CHECKS A WORKING PHONE NUMBER IF ITS "REAL" OR NOT
The second you are able to verify via phone number you could turn the call forwarding off to recive the call and verify a buisness wich isn't yours.
When you verivied that you "own" that location/ buisness you are able to cainge the information shown on google without confirmation
That leads to one of the main vulnerabilitis:
You can change the Buisness Website to a simular domain wich
1 Displays a fake website to grab Information
2 Have a cookie grabber and forward you to the real website you the user wouldnt notice
The other main vulnerability is that nobody questions if the google bisnes owner is the real buisness owner so you could post events and discounts on the google page this would lead to a lot op upset custimers and a bad buisness reputation.
The thired one is that [I think] you could record the calls that you would forward to the other number if you would connect them vai your server but I'm not shure about this last one because to be honest I don't have the tecincal epertise but would like to here from you if you are more skiled in this topic.
How to protect youreself:
You don't really have another choice as to claim your google buisness and check your data regulary
This also apllies if you are not a buisness in case you are a cities office or something like that you may have to ability to take out the ability that people change your data but not shure (again)
Before I posted this I talked to my local Police and a few buisnesses who are effected I can't contact all of you and I really want to make shure nobody will be harmed by this so I wanted to get the word out.
If you have any questions or something like that feel free to ask
I will make a reddit thread as well but its late and I probibly will post the link here tomorrow
Reposts and follow ups are hoped for I you do I would love some credit ^^
IceDegu got a reaction from Vishera in Google Buisness vulnerability