Vulnerabilities / Threats
9/6/2011
01:47 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Google Maps Listings Marred By False Information

Businesses complain that Google Maps inaccurately lists them as being closed, an attack that reduces customer visits and diminishes online traffic.

Top 15 Google Apps For Business
Slideshow: Top 15 Google Apps For Business
(click image for larger view and for full slideshow)
Internet observers often extol the wisdom of the crowd, but appear to be less keen to consider the malice of the crowd. Thus, Google, ever optimistic about leveraging free labor to organize online information, has allowed Google users to police map data without adequately planning for the possibility of abuse.

In recent weeks, Google has been getting an earful from businesses listed on Google Maps and Google Places. Many business owners are reporting that their businesses appear to be "permanently closed," the result of presumably deliberate attempts by rivals to scare off customers.

Google Maps place markers, when clicked on, open a pop-up pane that includes a "more" link. One of the options in the "more" link drop-down menu is "Report a problem." And one of several possible problems that can be reported is "Place is permanently closed." Used correctly, this is a public service; used in error or in a deliberate attempt to mislead, it's a public nuisance and economic sabotage.

Google calls the problem "spam." F-Secure security advisor Sean Sullivan calls it "a subtle (and ingenious) 'denial of service' attack."

Google has been accepting such reports without adequate skepticism or safeguards. There's a "Not true" button that appears when a place is designated as closed, but those complaining about the problem suggest that's not enough because the virtual vandalism just continues.

"I have a business on Google Maps that someone keeps marking our business as closed, and we keep getting calls asking if we are going out of business," writes a user identified as "iloveshells" in a Google Places help forum post. "It has been happening for over a week now, and good customers keep re-marking our business as open. I own this listing in my Google Places account. I would love to find a solution to stop this and it would be great if I could get the IP address to the user that is harassing us."

Google did not immediately respond to a request to explain what disciplinary action, if any, it might take when it detects abuse. In general, the company does not provide a user's IP address without a valid court order. But Google says it plans to introduce new tools to prevent abuse.

"About two weeks ago, news in the blogosphere made us aware that abuse--such as 'place closed' spam label--was occurring," wrote Google senior product manager Ethan Russell in a blog post on Monday. "And since then, we've been working on improvements to the system to prevent any malicious or incorrect labeling. These improvements will be implemented in the coming days."

It appears, however, that the problem has been going on for more than two weeks. One post in a series of posts about the problem dates back to June, 2010. It concerns a hospital emergency room inaccurately marked closed.

Attend Enterprise 2.0 Santa Clara, Nov. 14-17, 2011, and learn how to drive business value with collaboration, with an emphasis on how real customers are using social software to enable more productive workforces and to be more responsive and engaged with customers and business partners. Register today and save 30% off conference passes, or get a free expo pass with priority code CPHCES02. Find out more and register.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1556
Published: 2014-09-12
Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to inject arbitrary web script or HTML via the name parameter to photo/photo_one.php.

CVE-2014-2008
Published: 2014-09-12
SQL injection vulnerability in confirm.php in the mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to execute arbitrary SQL commands via the TID parameter.

CVE-2014-2009
Published: 2014-09-12
The mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to obtain credentials, the installation path, and other sensitive information via a direct request to api/curllog.log.

CVE-2014-4735
Published: 2014-09-12
Cross-site scripting (XSS) vulnerability in MyWebSQL 3.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the table parameter to index.php.

CVE-2014-5259
Published: 2014-09-12
Cross-site scripting (XSS) vulnerability in cattranslate.php in the CatTranslate JQuery plugin in BlackCat CMS 1.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant