Cloud

10/9/2018
07:00 PM
50%
50%

Google+ Vulnerability Hits Service, Leads to Shutdown

In response to the breach, Google is changing policies, modifying APIs, and shutting down Google+.

On Oct. 8, Google released information about a vulnerability that hit parts of its Google+ social network service. According to the company, it can't confirm how many users were affected or whether any data was actually accessed by an unauthorized user. But in response to the breach, Google is changing policies, modifying APIs, and shutting down Google+.

Whether the vulnerability and potential data breach is significant depends largely on the lens through which the vulnerability is viewed. From a population view, it's significant, according to some observers. "This isn't part of a population — it's the whole network," says Jim Zuffoletti, CEO of SafeGuard Cyber. "This time we're talking about the entire population on a shallow level. In the past we talked about portions of a population."

That "shallow level" is the other lens through which the vulnerability can be viewed. "Is this unique information that hasn't been exposed before? Is it new information? A lot of information isn't new — it's very publicly available," says Rami Essaid, co-founder of Distil Networks. "It's another privacy bungle, but it's not as bad as the PII exposed in the Equifax breach or the PII including credit card info exposed in Target or Home Depot [breaches]."

Each of these lenses converges on a single way of seeing what Google disclosed about the Google+ vulnerability. "This points to a systemic risk as opposed to a breach event," Zuffoletti says.

Essaid points out that APIs can be a vulnerable component in ways that companies aren't prepared to deal with. "The use [of APIs] is proliferating, but the security around them is still nascent," he says. "When we did a survey asking companies who was in charge of API security, a lot of people shrugged and said they weren't sure."

Organizational uncertainty about API security is a problem Essaid sees getting worse. "We're going to see more of these things. The horizon on which we're going to be exposing information is increasing, not decreasing," he explains. "The surface area is growing very, very quickly in terms of the data being shared among apps and data being moved."

As the vulnerable surface area increases, individuals and organizations should pay more attention to the impact of security on social networks, Zuffoletti says. "If I'm an individual user of social media, it makes me think hard about all social networks, and if I'm a marketer using social media, I have to ask whether my work is safe and whether I'm taking the right actions," he says.

A right action from the perspective of a social network provider should include rapid disclosure of vulnerabilities and breaches, says Colin Bastable, CEO of Lucy Security. "Don't be evil' mutated into 'don't be caught," he says.

The desire to avoid embarrassment is understandable, Bastable points out, but acting on that reluctance is part of the reason why all social network providers are facing increased scrutiny from lawmakers and regulators. He is referring to the fact that Google apparently knew about the vulnerability early in 2018 and patched it in March, but didn't disclose it (and the potential data loss) until this month.

Two huge unknowns remain: The first is whether any users were affected by data loss. Google says its logs for the affected APIs are kept only for two weeks, so it doesn't know what might have happened outside the scope of those logs.

The second unknown is whether there will be regulatory repercussions because of the vulnerability and its lingering announcement. "I'm keeping my eyes on Ireland," says Essaid, explaining that the European country has been aggressive in pursuing regulatory action against social network companies. In the new era of GDPR, many organizations are also waiting to see whether Google has just provided the first major test case of the new regulations.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.