Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

Google+ Vulnerability Hits Service, Leads to Shutdown

In response to the breach, Google is changing policies, modifying APIs, and shutting down Google+.

On Oct. 8, Google released information about a vulnerability that hit parts of its Google+ social network service. According to the company, it can't confirm how many users were affected or whether any data was actually accessed by an unauthorized user. But in response to the breach, Google is changing policies, modifying APIs, and shutting down Google+.

Whether the vulnerability and potential data breach is significant depends largely on the lens through which the vulnerability is viewed. From a population view, it's significant, according to some observers. "This isn't part of a population — it's the whole network," says Jim Zuffoletti, CEO of SafeGuard Cyber. "This time we're talking about the entire population on a shallow level. In the past we talked about portions of a population."

That "shallow level" is the other lens through which the vulnerability can be viewed. "Is this unique information that hasn't been exposed before? Is it new information? A lot of information isn't new — it's very publicly available," says Rami Essaid, co-founder of Distil Networks. "It's another privacy bungle, but it's not as bad as the PII exposed in the Equifax breach or the PII including credit card info exposed in Target or Home Depot [breaches]."

Each of these lenses converges on a single way of seeing what Google disclosed about the Google+ vulnerability. "This points to a systemic risk as opposed to a breach event," Zuffoletti says.

Essaid points out that APIs can be a vulnerable component in ways that companies aren't prepared to deal with. "The use [of APIs] is proliferating, but the security around them is still nascent," he says. "When we did a survey asking companies who was in charge of API security, a lot of people shrugged and said they weren't sure."

Organizational uncertainty about API security is a problem Essaid sees getting worse. "We're going to see more of these things. The horizon on which we're going to be exposing information is increasing, not decreasing," he explains. "The surface area is growing very, very quickly in terms of the data being shared among apps and data being moved."

As the vulnerable surface area increases, individuals and organizations should pay more attention to the impact of security on social networks, Zuffoletti says. "If I'm an individual user of social media, it makes me think hard about all social networks, and if I'm a marketer using social media, I have to ask whether my work is safe and whether I'm taking the right actions," he says.

A right action from the perspective of a social network provider should include rapid disclosure of vulnerabilities and breaches, says Colin Bastable, CEO of Lucy Security. "Don't be evil' mutated into 'don't be caught," he says.

The desire to avoid embarrassment is understandable, Bastable points out, but acting on that reluctance is part of the reason why all social network providers are facing increased scrutiny from lawmakers and regulators. He is referring to the fact that Google apparently knew about the vulnerability early in 2018 and patched it in March, but didn't disclose it (and the potential data loss) until this month.

Two huge unknowns remain: The first is whether any users were affected by data loss. Google says its logs for the affected APIs are kept only for two weeks, so it doesn't know what might have happened outside the scope of those logs.

The second unknown is whether there will be regulatory repercussions because of the vulnerability and its lingering announcement. "I'm keeping my eyes on Ireland," says Essaid, explaining that the European country has been aggressive in pursuing regulatory action against social network companies. In the new era of GDPR, many organizations are also waiting to see whether Google has just provided the first major test case of the new regulations.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16349
PUBLISHED: 2019-09-16
Bento4 1.5.1-628 has a NULL pointer dereference in AP4_ByteStream::ReadUI32 in Core/Ap4ByteStream.cpp when called from the AP4_TrunAtom class.
CVE-2019-16350
PUBLISHED: 2019-09-16
ffjpeg before 2019-08-18 has a NULL pointer dereference in idct2d8x8() at dct.c.
CVE-2019-16351
PUBLISHED: 2019-09-16
ffjpeg before 2019-08-18 has a NULL pointer dereference in huffman_decode_step() at huffman.c.
CVE-2019-16352
PUBLISHED: 2019-09-16
ffjpeg before 2019-08-21 has a heap-based buffer overflow in jfif_load() at jfif.c.
CVE-2016-10967
PUBLISHED: 2019-09-16
The real3d-flipbook-lite plugin 1.0 for WordPress has XSS via the wp-content/plugins/real3d-flipbook/includes/flipbooks.php bookId parameter.