Big companies pretend that they care about users privacy, but in reality they don't do almost anything to protect it

Vahe Gulyan:

Big companies pretend that they care about users privacy, but in reality they don't do almost anything to protect it

PanARMENIAN.Net - In November 2010 one of the most discussed topics in IT the industry was the security hole found in Google's system which caused a leak of personal information. The exploit in Google’s system was discovered by a 21-year old Los Angeles-based Vahe Gulyan. After the discovery, Vahe had made multiple attempts to notify Google about the issue, but didn’t receive any response for a month. After Google updated its Google Apps system, Vahe found that the security hole was now also affecting the Google Apps customers (including many governmental organizations from US and all over the world) and wrote to the editor of TechCrunch - one of the most popular technology blogs. He demonstrated the hole with a little code included in his blog hosted in Google's own Blogger system. Vahe shares the details of this story that made headlines on the internet to PanARMENIAN.Net reporter in an exclusive interview.
Vahe, how would you present yourself?
I’m 21 years old, originally from Yerevan, and it’s been 2.5 years that I live in Los Angeles and work as a system administrator.

How did you find that security hole on Google? Where you looking for something like that or was it a sudden discovery?
To tell the truth, I don’t have a personal computer right now and I was in my workplace when found it just trying out something. Actually, it was plainly written in the manual, I just “applied” it. At first I thought that it’s intended to be so and is covered by some security measures, however my first attempt to test it demonstrated that it’s indeed a security hole in the system. I was shocked.

How serious is that hole? What would happen if some “bad guys” found it out first?
Well, they say it’s pretty serious :) For example, if you put some specific code on a popular website with many visitors (or even post it in a comment to some popular blogger’s post), you could gather the e-mail addresses of all the visitors who’ve been logged in into their Gmail accounts (even from browsers in “incognito” mode). That makes it a big spam list which can be used to send malware. These kind of email lists are often being sold on the internet and are highly demanded by spammers. And this all happens while Google assures it’s users that it won’t pass their personal information including the e-mail addresses to any third-parties without their concent…

By the way, another big issue was the fact that I could actually send e-mails to those addresses from @google.com authorised e-mail addresses.

So what did you do after you found it?
The whole process lasted 1.5 months, because, as I said, I don’t have a PC myself. The whole code (demonstrating the vulnerability, editor’s note) was written in an Apple store, actually. I’ve been sending e-mails to Google employees from the noreply@google.com address, which should warn them that something’s wrong, but all in vain. When I told my friends about that, they suggested me to write to TechCrunch, so I did. The article on TechCrunch received a huge response and that material was reproduced in hundreds of blogs and news websites all over the world. I just wanted to show how big companies act like they care about our personal information but do nothing to protect it. I still can’t quite understand how Google could do such a mistake.

But why in Apple store?
In Apple store they showcase their products which are connected to a broadband internet so I love going there and browsing stuff. It’s convenient :)

Did it cross your mind to use that finding in some other way, e.g. selling it to Google’s competitors, like Facebook?
I think it would be much harder to contact Facebook than Google.

What kind of response did you expect to receive from Google?
Frankly, I didn’t expect such a quick response from TechCrunch. The material was published by the time I got to work. I thought I’d be first contacted by a Google representative. I got to know about the buzz from my colleague.

Are you satisfied with what happened in the end? Google’s response?
Google’s employees are now in touch with me consulting on finding the best solution for the issue. The vulnerability is now fixed, however not entirely.

By the way, I just learned few days ago, that my name was added in the Google’s security hall of fame, in the “Honorable mention” section: http://www.google.com/corporate/halloffame.html

In your letter to TechCrunch’s editor Michael Arrington you signed as “Armenian 21yrs guy whom Google doesn’t wanted to even talk to”. Did you intentionally write about your nationality, even though partly hiding your real name? The fact that the discovery was made by an Armenian was being mentioned in all news articles about the security issue in Google. Did you have something in mind when writing it that way?
Yes, I wanted it to be known that it was found by an Armenian. Actually, I didn’t do much thinking while writing it. During our conversation with Arrington I told him that I live in Los Angeles now, however most of the commenters thought that I’m in Armenia.

Seems like all the technology related websites have written about you and in the comments to those articles, many people from around the world send you their regards and appreciation. How do you feel about this sudden "fame" and attention?
Of course it was very nice getting a response and receiving attention from someone like Michael Arrington. Using this opportunity I would like to pass my «barev» to my loved ones :)

Would you like to return to live and work in Armenia and in what conditions?
Unfortunately, it won't be possible in the upcoming few years due to personal reasons.

---