Vulnerabilities / Threats
9/6/2011
01:47 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Google Maps Listings Marred By False Information

Businesses complain that Google Maps inaccurately lists them as being closed, an attack that reduces customer visits and diminishes online traffic.

Top 15 Google Apps For Business
Slideshow: Top 15 Google Apps For Business
(click image for larger view and for full slideshow)
Internet observers often extol the wisdom of the crowd, but appear to be less keen to consider the malice of the crowd. Thus, Google, ever optimistic about leveraging free labor to organize online information, has allowed Google users to police map data without adequately planning for the possibility of abuse.

In recent weeks, Google has been getting an earful from businesses listed on Google Maps and Google Places. Many business owners are reporting that their businesses appear to be "permanently closed," the result of presumably deliberate attempts by rivals to scare off customers.

Google Maps place markers, when clicked on, open a pop-up pane that includes a "more" link. One of the options in the "more" link drop-down menu is "Report a problem." And one of several possible problems that can be reported is "Place is permanently closed." Used correctly, this is a public service; used in error or in a deliberate attempt to mislead, it's a public nuisance and economic sabotage.

Google calls the problem "spam." F-Secure security advisor Sean Sullivan calls it "a subtle (and ingenious) 'denial of service' attack."

Google has been accepting such reports without adequate skepticism or safeguards. There's a "Not true" button that appears when a place is designated as closed, but those complaining about the problem suggest that's not enough because the virtual vandalism just continues.

"I have a business on Google Maps that someone keeps marking our business as closed, and we keep getting calls asking if we are going out of business," writes a user identified as "iloveshells" in a Google Places help forum post. "It has been happening for over a week now, and good customers keep re-marking our business as open. I own this listing in my Google Places account. I would love to find a solution to stop this and it would be great if I could get the IP address to the user that is harassing us."

Google did not immediately respond to a request to explain what disciplinary action, if any, it might take when it detects abuse. In general, the company does not provide a user's IP address without a valid court order. But Google says it plans to introduce new tools to prevent abuse.

"About two weeks ago, news in the blogosphere made us aware that abuse--such as 'place closed' spam label--was occurring," wrote Google senior product manager Ethan Russell in a blog post on Monday. "And since then, we've been working on improvements to the system to prevent any malicious or incorrect labeling. These improvements will be implemented in the coming days."

It appears, however, that the problem has been going on for more than two weeks. One post in a series of posts about the problem dates back to June, 2010. It concerns a hospital emergency room inaccurately marked closed.

Attend Enterprise 2.0 Santa Clara, Nov. 14-17, 2011, and learn how to drive business value with collaboration, with an emphasis on how real customers are using social software to enable more productive workforces and to be more responsive and engaged with customers and business partners. Register today and save 30% off conference passes, or get a free expo pass with priority code CPHCES02. Find out more and register.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0607
Published: 2014-07-24
Unrestricted file upload vulnerability in Attachmate Verastream Process Designer (VPD) before R6 SP1 Hotfix 1 allows remote attackers to execute arbitrary code by uploading and launching an executable file.

CVE-2014-1419
Published: 2014-07-24
Race condition in the power policy functions in policy-funcs in acpi-support before 0.142 allows local users to gain privileges via unspecified vectors.

CVE-2014-2360
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules allow remote attackers to execute arbitrary code via packets that report a high battery voltage.

CVE-2014-2361
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules, when BreeZ is used, do not require authentication for reading the site security key, which allows physically proximate attackers to spoof communication by obtaining this key after use of direct hardware access or manual-setup mode.

CVE-2014-2362
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.