A simple search query has exposed Google Voice mail messages (audio and transcript) for anyone to see and hear.
As first reported here, a user entering “site:https://www.google.com/voice/fm/*" into the Google search bar discovered random voice mail messages belonging to random Google Voice accounts (see screenshot below).
Clicking on each revealed not only the audio file and transcript of the call, but it also listed the callers name and phone number as it would if you were checking your own Google Voice voice mail.
I was able to replicate the issue and listen to several voice mail messages, including some legitimate ones with potentially sensitive information.
(Click image for full size)
Here is Google's official response to this disclosure:
Since the initial idea behind posting a voicemail, was precisely to share it with others, we did not restrict crawling of those messages that users post on the web, but we can certainly understand that users would want to make them public on their sites but not necessarily searchable directly outside of their own website. We made a change to prevent those to be crawled so only the site owner can decide to index them.
At the time of writing this blog post, the search query was no longer displaying any results.