Google claims to have fixed a significant security hole in its two-week-old Voice calling service though some vulnerabilities remain.

The flaw enabled an unauthorised person to use a SIP device to spoof a phone number attached to a Google Voice account to call the Google Voice number. The spoofer would get access to greetings and voicemail, and the ability to make outbound calls, including international calls.

However reports are coming in which suggest that SIP access to a Google Voice account is no longer possible in such a manner. Our hacker chums say that there is still some vulnerabilities in Google voice. One was able to set the caller ID of a PBX extension to a mobile number attached to Google Voice account and call in, using a business VoIP trunk, to gain access.

VoIP service providers permit users to set their own caller ID and ANI so it is possible to spoof a number attached to a particular Google Voice account, unless the Google Voice account holder changes the default account setting to require entry of a PIN.

A recent post in the Google Voice support forum indicated that Google knew of the flaw.