Google+ Vulnerability Hits Service, Leads to Shutdown

In response to the breach, Google is changing policies, modifying APIs, and shutting down Google+.

On Oct. 8, Google released information about a vulnerability that hit parts of its Google+ social network service. According to the company, it cant confirm how many users were affected or whether any data was actually accessed by an unauthorized user. But in response to the breach, Google is changing policies, modifying APIs, and shutting down Google+.
Whether the vulnerability and potential data breach is significant depends largely on the lens through which the vulnerability is viewed. From a population view, its significant, according to some observers. This isnt part of a population — its the whole network, says Jim Zuffoletti, CEO of SafeGuard Cyber. This time were talking about the entire population on a shallow level. In the past we talked about portions of a population.
That shallow level is the other lens through which the vulnerability can be viewed. Is this unique information that hasnt been exposed before? Is it new information? A lot of information isnt new — its very publicly available, says Rami Essaid, co-founder of Distil Networks. Its another privacy bungle, but its not as bad as the PII exposed in the Equifax breach or the PII including credit card info exposed in Target or Home Depot [breaches].
Each of these lenses converges on a single way of seeing what
Google disclosed
about the Google+ vulnerability. This points to a systemic risk as opposed to a breach event, Zuffoletti says.
Essaid points out that APIs can be a vulnerable component in ways that companies arent prepared to deal with. The use [of APIs] is proliferating, but the security around them is still nascent, he says. When we did a survey asking companies who was in charge of API security, a lot of people shrugged and said they werent sure.
Organizational uncertainty about API security is a problem Essaid sees getting worse. Were going to see more of these things. The horizon on which were going to be exposing information is increasing, not decreasing, he explains. The surface area is growing very, very quickly in terms of the data being shared among apps and data being moved.
As the vulnerable surface area increases, individuals and organizations should pay more attention to the impact of security on social networks, Zuffoletti says. If Im an individual user of social media, it makes me think hard about all social networks, and if Im a marketer using social media, I have to ask whether my work is safe and whether Im taking the right actions, he says.
A right action from the perspective of a social network provider should include rapid disclosure of vulnerabilities and breaches, says Colin Bastable, CEO of Lucy Security. Dont be evil mutated into dont be caught, he says.
The desire to avoid embarrassment is understandable, Bastable points out, but acting on that reluctance is part of the reason why all social network providers are facing increased scrutiny from lawmakers and regulators. He is referring to the fact that Google apparently knew about the vulnerability early in 2018 and patched it in March, but
didnt disclose it
(and the potential data loss) until this month.
Two huge unknowns remain: The first is whether any users were affected by data loss. Google says its logs for the affected APIs are kept only for two weeks, so it doesnt know what might have happened outside the scope of those logs.
The second unknown is whether there will be regulatory repercussions because of the vulnerability and its lingering announcement. Im keeping my eyes on Ireland, says Essaid, explaining that the European country has been aggressive in pursuing regulatory action against social network companies. In the new era of GDPR, many organizations are also waiting to see whether Google has just provided the first major test case of the new regulations.
Related Content
:
Putting Security on Par with DevOps
4 Trends Giving CISOs Sleepless Nights
It Takes an Average 38 Days to Patch a Vulnerability
The Equifax Breach One Year Later: 6 Action Items for Security Pros

Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the
conference
and
to register.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Google+ Vulnerability Hits Service, Leads to Shutdown