Cloud

Google+ Vulnerability Hits Service, Leads to Shutdown

In response to the breach, Google is changing policies, modifying APIs, and shutting down Google+.

On Oct. 8, Google released information about a vulnerability that hit parts of its Google+ social network service. According to the company, it can't confirm how many users were affected or whether any data was actually accessed by an unauthorized user. But in response to the breach, Google is changing policies, modifying APIs, and shutting down Google+.

Whether the vulnerability and potential data breach is significant depends largely on the lens through which the vulnerability is viewed. From a population view, it's significant, according to some observers. "This isn't part of a population — it's the whole network," says Jim Zuffoletti, CEO of SafeGuard Cyber. "This time we're talking about the entire population on a shallow level. In the past we talked about portions of a population."

That "shallow level" is the other lens through which the vulnerability can be viewed. "Is this unique information that hasn't been exposed before? Is it new information? A lot of information isn't new — it's very publicly available," says Rami Essaid, co-founder of Distil Networks. "It's another privacy bungle, but it's not as bad as the PII exposed in the Equifax breach or the PII including credit card info exposed in Target or Home Depot [breaches]."

Each of these lenses converges on a single way of seeing what Google disclosed about the Google+ vulnerability. "This points to a systemic risk as opposed to a breach event," Zuffoletti says.

Essaid points out that APIs can be a vulnerable component in ways that companies aren't prepared to deal with. "The use [of APIs] is proliferating, but the security around them is still nascent," he says. "When we did a survey asking companies who was in charge of API security, a lot of people shrugged and said they weren't sure."

Organizational uncertainty about API security is a problem Essaid sees getting worse. "We're going to see more of these things. The horizon on which we're going to be exposing information is increasing, not decreasing," he explains. "The surface area is growing very, very quickly in terms of the data being shared among apps and data being moved."

As the vulnerable surface area increases, individuals and organizations should pay more attention to the impact of security on social networks, Zuffoletti says. "If I'm an individual user of social media, it makes me think hard about all social networks, and if I'm a marketer using social media, I have to ask whether my work is safe and whether I'm taking the right actions," he says.

A right action from the perspective of a social network provider should include rapid disclosure of vulnerabilities and breaches, says Colin Bastable, CEO of Lucy Security. "Don't be evil' mutated into 'don't be caught," he says.

The desire to avoid embarrassment is understandable, Bastable points out, but acting on that reluctance is part of the reason why all social network providers are facing increased scrutiny from lawmakers and regulators. He is referring to the fact that Google apparently knew about the vulnerability early in 2018 and patched it in March, but didn't disclose it (and the potential data loss) until this month.

Two huge unknowns remain: The first is whether any users were affected by data loss. Google says its logs for the affected APIs are kept only for two weeks, so it doesn't know what might have happened outside the scope of those logs.

The second unknown is whether there will be regulatory repercussions because of the vulnerability and its lingering announcement. "I'm keeping my eyes on Ireland," says Essaid, explaining that the European country has been aggressive in pursuing regulatory action against social network companies. In the new era of GDPR, many organizations are also waiting to see whether Google has just provided the first major test case of the new regulations.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Sensitive Data Lingers on Used Storage Drives Sold Online
Ericka Chickowski, Contributing Writer, Dark Reading,  4/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11538
PUBLISHED: 2019-04-26
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1, an NFS problem could allow an authenticated attacker to access the contents of arbitrary files on the affected device.
CVE-2019-11539
PUBLISHED: 2019-04-26
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web...
CVE-2019-11540
PUBLISHED: 2019-04-26
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4 and 8.3RX before 8.3R7.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2 and 5.4RX before 5.4R7.1, an unauthenticated, remote attacker can conduct a session hijacking attack.
CVE-2019-11541
PUBLISHED: 2019-04-26
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.2RX before 8.2R12.1, users using SAML authentication with the Reuse Existing NC (Pulse) Session option may see authentication leaks.
CVE-2019-11542
PUBLISHED: 2019-04-26
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, an authentica...