(Serious) Bug in Google SMS Channel – Edit Any Channel But…

A serious bug is discovered in Google’s new SMS Channel service. Although the service is in beta (labs), it have huge userbase specially which makes a bug like this serious one.

First about the bug…

Bug is present in “manage channel” option beside each channel. When you click on it, editing page opens with URL structure like below:

http://labs.google.co.in/smschannels/manage_channel/xxxxxx/edit

In above link, xxxxxx is user-readable name of the channel.

Ideally you should be allowed to edit your own channels only, but you can put any Google SMS channels name in place of xxxxxx and you will get editing screen for it!

try this: http://labs.google.co.in/smschannels/manage_channel/digitalinspiration/edit

You will see a page like below. Yes, below one is Google SMS channel management page for top Indian technology blog – Digital Inspiration.

Don’t Get Panic…

I know above is enough to scare anyone who have large number of subscribers on their Google SMS channels. But although this bug is present, it can not be used to do any harm to anyone (at least as of now).

You will get access to edit page and you can change values too, but when you will hit Update Channel button you will get message, You have no permission to do this. (see screenshot below)

Ideally above error should have been displayed whenever we enter forged URL into browser.

“editing page options” do not contain any important information which can be misused. Everything there is anyway publicly listed in channel directory except data source. Again data source information for most of the channel is obvious.

So overall this bug is not harmful, but it presence may lead to more harmful bug in near future. Best would be, if Google SMS Channels team fix this in time! Thanks Saeed. 🙂

Related: Problems with Google SMS Channels