Cloud

10/9/2018
07:00 PM

Google+ Vulnerability Hits Service, Leads to Shutdown

In response to the breach, Google is changing policies, modifying APIs, and shutting down Google+.



On Oct. 8, Google released information about a vulnerability that hit parts of its Google+ social network service. According to the company, it can't confirm how many users were affected or whether any data was actually accessed by an unauthorized user. But in response to the breach, Google is changing policies, modifying APIs, and shutting down Google+.

Whether the vulnerability and potential data breach is significant depends largely on the lens through which the vulnerability is viewed. From a population view, it's significant, according to some observers. "This isn't part of a population — it's the whole network," says Jim Zuffoletti, CEO of SafeGuard Cyber. "This time we're talking about the entire population on a shallow level. In the past we talked about portions of a population."

That "shallow level" is the other lens through which the vulnerability can be viewed. "Is this unique information that hasn't been exposed before? Is it new information? A lot of information isn't new — it's very publicly available," says Rami Essaid, co-founder of Distil Networks. "It's another privacy bungle, but it's not as bad as the PII exposed in the Equifax breach or the PII including credit card info exposed in Target or Home Depot [breaches]."

Each of these lenses converges on a single way of seeing what Google disclosed about the Google+ vulnerability. "This points to a systemic risk as opposed to a breach event," Zuffoletti says.

Essaid points out that APIs can be a vulnerable component in ways that companies aren't prepared to deal with. "The use [of APIs] is proliferating, but the security around them is still nascent," he says. "When we did a survey asking companies who was in charge of API security, a lot of people shrugged and said they weren't sure."

Organizational uncertainty about API security is a problem Essaid sees getting worse. "We're going to see more of these things. The horizon on which we're going to be exposing information is increasing, not decreasing," he explains. "The surface area is growing very, very quickly in terms of the data being shared among apps and data being moved."

As the vulnerable surface area increases, individuals and organizations should pay more attention to the impact of security on social networks, Zuffoletti says. "If I'm an individual user of social media, it makes me think hard about all social networks, and if I'm a marketer using social media, I have to ask whether my work is safe and whether I'm taking the right actions," he says.

A right action from the perspective of a social network provider should include rapid disclosure of vulnerabilities and breaches, says Colin Bastable, CEO of Lucy Security. "Don't be evil' mutated into 'don't be caught," he says.

The desire to avoid embarrassment is understandable, Bastable points out, but acting on that reluctance is part of the reason why all social network providers are facing increased scrutiny from lawmakers and regulators. He is referring to the fact that Google apparently knew about the vulnerability early in 2018 and patched it in March, but didn't disclose it (and the potential data loss) until this month.

Two huge unknowns remain: The first is whether any users were affected by data loss. Google says its logs for the affected APIs are kept only for two weeks, so it doesn't know what might have happened outside the scope of those logs.

The second unknown is whether there will be regulatory repercussions because of the vulnerability and its lingering announcement. "I'm keeping my eyes on Ireland," says Essaid, explaining that the European country has been aggressive in pursuing regulatory action against social network companies. In the new era of GDPR, many organizations are also waiting to see whether Google has just provided the first major test case of the new regulations.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1848
PUBLISHED: 2018-12-14
IBM Business Automation Workflow 18.0.0.0 and 18.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force...
CVE-2018-1977
PUBLISHED: 2018-12-14
IBM DB2 for Linux, UNIX and Windows 11.1 (includes DB2 Connect Server) contains a denial of service vulnerability. A remote, authenticated DB2 user could exploit this vulnerability by issuing a specially-crafted SELECT statement with TRUNCATE function. IBM X-Force ID: 154032.
CVE-2018-18006
PUBLISHED: 2018-12-14
Hardcoded credentials in the Ricoh myPrint application 2.9.2.4 for Windows and 2.2.7 for Android give access to any externally disclosed myPrint WSDL API, as demonstrated by discovering API secrets of related Google cloud printers, encrypted passwords of mail servers, and names of printed files.
CVE-2018-18984
PUBLISHED: 2018-12-14
Medtronic CareLink 2090 Programmer CareLink 9790 Programmer 29901 Encore Programmer, all versions, The affected products do not encrypt or do not sufficiently encrypt the following sensitive information while at rest PII and PHI.
CVE-2018-19003
PUBLISHED: 2018-12-14
GE Mark VIe, EX2100e, EX2100e_Reg, and LS2100e Versions 03.03.28C to 05.02.04C, EX2100e All versions prior to v04.09.00C, EX2100e_Reg All versions prior to v04.09.00C, and LS2100e All versions prior to v04.09.00C The affected versions of the application have a path traversal vulnerability that fails...