Cloud

Google+ Vulnerability Hits Service, Leads to Shutdown

In response to the breach, Google is changing policies, modifying APIs, and shutting down Google+.

On Oct. 8, Google released information about a vulnerability that hit parts of its Google+ social network service. According to the company, it can't confirm how many users were affected or whether any data was actually accessed by an unauthorized user. But in response to the breach, Google is changing policies, modifying APIs, and shutting down Google+.

Whether the vulnerability and potential data breach is significant depends largely on the lens through which the vulnerability is viewed. From a population view, it's significant, according to some observers. "This isn't part of a population — it's the whole network," says Jim Zuffoletti, CEO of SafeGuard Cyber. "This time we're talking about the entire population on a shallow level. In the past we talked about portions of a population."

That "shallow level" is the other lens through which the vulnerability can be viewed. "Is this unique information that hasn't been exposed before? Is it new information? A lot of information isn't new — it's very publicly available," says Rami Essaid, co-founder of Distil Networks. "It's another privacy bungle, but it's not as bad as the PII exposed in the Equifax breach or the PII including credit card info exposed in Target or Home Depot [breaches]."

Each of these lenses converges on a single way of seeing what Google disclosed about the Google+ vulnerability. "This points to a systemic risk as opposed to a breach event," Zuffoletti says.

Essaid points out that APIs can be a vulnerable component in ways that companies aren't prepared to deal with. "The use [of APIs] is proliferating, but the security around them is still nascent," he says. "When we did a survey asking companies who was in charge of API security, a lot of people shrugged and said they weren't sure."

Organizational uncertainty about API security is a problem Essaid sees getting worse. "We're going to see more of these things. The horizon on which we're going to be exposing information is increasing, not decreasing," he explains. "The surface area is growing very, very quickly in terms of the data being shared among apps and data being moved."

As the vulnerable surface area increases, individuals and organizations should pay more attention to the impact of security on social networks, Zuffoletti says. "If I'm an individual user of social media, it makes me think hard about all social networks, and if I'm a marketer using social media, I have to ask whether my work is safe and whether I'm taking the right actions," he says.

A right action from the perspective of a social network provider should include rapid disclosure of vulnerabilities and breaches, says Colin Bastable, CEO of Lucy Security. "Don't be evil' mutated into 'don't be caught," he says.

The desire to avoid embarrassment is understandable, Bastable points out, but acting on that reluctance is part of the reason why all social network providers are facing increased scrutiny from lawmakers and regulators. He is referring to the fact that Google apparently knew about the vulnerability early in 2018 and patched it in March, but didn't disclose it (and the potential data loss) until this month.

Two huge unknowns remain: The first is whether any users were affected by data loss. Google says its logs for the affected APIs are kept only for two weeks, so it doesn't know what might have happened outside the scope of those logs.

The second unknown is whether there will be regulatory repercussions because of the vulnerability and its lingering announcement. "I'm keeping my eyes on Ireland," says Essaid, explaining that the European country has been aggressive in pursuing regulatory action against social network companies. In the new era of GDPR, many organizations are also waiting to see whether Google has just provided the first major test case of the new regulations.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Former Student Admits to USB Killer Attack
Dark Reading Staff 4/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11332
PUBLISHED: 2019-04-18
MKCMS 5.0 allows remote attackers to take over arbitrary user accounts by posting a username and e-mail address to ucenter/repass.php, which triggers e-mail transmission with the password, as demonstrated by 123456.
CVE-2019-9161
PUBLISHED: 2019-04-18
WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a Remote Code Execution issue allowing remote attackers to achieve full access to the system, because shell metacharacters in the nginx_webconsole.php Cookie header can be used to read an etc/config/wac/wns_cfg_admin_detail.x...
CVE-2019-11015
PUBLISHED: 2019-04-18
A vulnerability was found in the MIUI OS version 10.1.3.0 that allows a physically proximate attacker to bypass Lockscreen based authentication via the Wallpaper Carousel application to obtain sensitive Clipboard data and the user's stored credentials (partially). This occurs because of paste access...
CVE-2019-11331
PUBLISHED: 2019-04-18
Network Time Protocol (NTP), as specified in RFC 5905, uses port 123 even for modes where a fixed port number is not required, which makes it easier for remote attackers to conduct off-path attacks.
CVE-2019-9160
PUBLISHED: 2019-04-18
WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a backdoor account allowing a remote attacker to login to the system via SSH (on TCP port 22345) and escalate to root (because the password for root is the WebUI admin password concatenated with a static string).