You are here

Deadend sign

Google panics as huge new bug found in Google+

Richi Jennings, Industry analyst and editor, RJAssociates

It happened again, but this time it's 100 times worse. Google found another security hole in Google Plus.

This time, the bug’s in a RESTful API—and affects more than 50 million accounts. That’s far more than the 500,000 exposed last time.

And there we have a neat excuse to further accelerate the shutdown of the “failed” social network. But is this just a pretext, or is G+ really unmaintainable? In this week’s Security Blogwatch, we figure out what’s really going on.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Googling “idiot” 

[ Explore the challenges and opportunities facing SOCs in TechBeacon's new guide. Plus: Get the 2019 State of Security Operations report. ]

G+ APIs laid to REST

[You’re fired—Ed.]

What’s the craic? Bill Chappell has Google Accelerates Google+ Shutdown After 52.5 Million Users' Data Exposed:

The Google+ social network inadvertently gave app developers access to information on some 52.5 million users — even data that users designated as private. … The company had already announced it was pulling the plug on the social network … and now says the shutdown will happen four months sooner.

The flaw was in a software update to a Google+ API. … The company says it found the problem during a routine review. … Both consumers and "enterprise customers" were affected.

To some, the most surprising thing about the Google+ shutdown was the fact that the network was still up and running, after being introduced in 2011.

Ohh, the snark. It burns! Janet Burns, that is—API Bug Fumbles 52 Million Users' Privacy:

David Thacker, vice president of product management for Google, said … no third parties compromised their systems [and there’s] "no evidence" that third-party app developers took advantage of the bug-fueled data exposure.

The news of [this] latest data drama comes hours before Google CEO Sundar Pichai is set to appear before the House Judiciary Committee, where he's expected to field numerous questions on Google's handling of user data.

David who? Mister Thacker is in fact responsible for G Suite Enterprise—Expediting changes:

In October, we announced that we’d be sunsetting the consumer version [because of it’s] low usage. … With the discovery of this new bug, we have … decided to accelerate the sunsetting of consumer Google+ … to April 2019. … We will sunset all Google+ APIs in the next 90 days.

Apps that requested permission to view profile information that a user had added to their Google+ profile—like their name, email address, occupation, age … were granted permission to view profile information about that user even when set to not-public.

We are in the process of notifying any enterprise customers that were impacted by this bug. … We want to reiterate that we will continue to invest in Google+ for enterprise.

Ruh roh, amirite? Tony Romm says I’m right:

Whatever the issue, bad bad bad timing for a chief exec set to testify in 24 hrs in Congress.

Ohh, tell me more about that. Drew Harwell drew us a picture—Pichai emerges ‘unscathed’ from the circus in Washington:

After nearly four hours of rambling questions and partisan bickering, … Sundar Pichai emerged on Tuesday from his first-ever testimony to Congress almost entirely untouched. … Pichai was the measured, mild-mannered political tenderfoot in a sea of Washington bombast, not showing agitation at the silliest of questions or taking his interrogators’ bait.

The hearing was crashed by longtime Trump crony Roger Stone and far-right conspiracy theorist Alex Jones, who called Google “the most horrible corporation on earth” to anyone in the halls willing to listen. [It] was designed from the jump as a scene of performative political outrage at Big Tech.

The demands from a phalanx of lawmakers … ranged from prosecutorial cross-examinations to questions more likely to be expressed by old uncles seeking tech support from young kids during a Thanksgiving gathering. … Pichai proved to even his critics to be a master of deflection, capable of gliding past tough questions and consistently hitting talking points.

O RLY? Conor Cawley has the Worst Questions Congress Asked Google:

Just because politicians are out of touch with the tech world … doesn’t mean Google shouldn’t be under scrutiny. With shady data collection practices and a few notable security breaches in recent months making headline news, the tech giant needs to be held accountable.

But by the looks of some of these questions, someone else should be holding them accountable.

Zoe Lofgren (D-CA) … “Right now, if you Google the word ‘idiot’ under images, a picture of Donald Trump comes up. … How would that happen?” … House members bombarded Pichai with questions about political bias. … What many of them plainly couldn’t understand was that this search process is almost entirely automated. … Aggregate data … apparently correlates the word “idiot” to pictures of [the] President.

Steve Cohen (D-TN) … “This weekend, I was on MSNBC four times, and yet the first thing that comes up [when I Google myself] is the Daily Caller, not exactly a liberal, well-known group, then it’s Roll Call, then Breitbart news, then the Memphis Business Journal, then Breitbart news, then Breitbart. It looks like you are overly using conservative news organizations on your news.” … Pichai was noticeably taken aback after the question, and not just because of the decidedly confusing way in which it was posed.

LOL. Kieren McCarthy piles on:

The marathon three-and-a-half House committee session was in-part fascinating and in-larger-part cringeworthy … in the face of incoherent rants and questions that bore no relation to objective reality. … The stunning lack of knowledge about the basics of technology … is actually a limiting factor in Congress being able to do its job.

On more than one occasion, a Congressman railed at Pichai insisting he explain their confused and inaccurate ramblings while holding up their … iPhone – which is, of course, made by Apple and has nothing to do with Google. "Congressman, iPhone is made by a different company," Pichai said in response to one question from Representative Steve King (R-IA).

One Congressman asked Pichai if Google's privacy policy applied "when someone clicks a DoubleClick cookie?" … There is little point in aggressively questioning the CEO of a company when you have no idea how their market works.

Yes, but back to Google+ please. Giacomo Lacava—@toyg—reminds us why it failed to gain traction:

G+ wasn't that bad, technically speaking. They just failed at managing the political aspects of it, focusing too brutally on their own requirements, to the detriment of users' own: "we want your real names, so we can be the authority of record for everything! And we won't let you hack anything of importance on top of the platform."

Compare with the free-for-all hacking bonanza that early twitter was, or the spam machine that Facebook is - social networks are powered by oversharing, an activity that G+ actively resisted in many different ways.

The Real Names policy and lack of write api killed any momentum.

And what of the bug itself? Googler Tyler Larson offers fascinating insights:

g+ profiles [have] dumb "shared and yet marked as private" superposition of user intent flags.

I have no concern at all about any kind of generalized breach or exposure with one of Google's core data systems like drive, docs, and Gmail … the technical constraints that protect data are pretty solid. But looking at the sharing configuration for g+, it's just not intuitive what's shared and with whom, because the states seem to contradict each other.

You can have proper technical controls managing your permissions only if you can articulate what those permissions are supposed to be. And you can't just v2 the API with a better sharing model because users have already expressed their intent using the old model. You'd have to reacquire user intent, which is basically a non-starter.

So either you put up with a **** sharing model which is impossible to get right, or you delete everything and start over. It's no wonder they're killing it.

And what of the fact that Google found and disclosed both bugs? Thomas H. Ptacek thinks deeper:

Both times, they did exactly what you'd want a professional software team to do: they caught their own bugs, internally, and immediately fixed them. … There is no norm for reporting internally-discovered vulnerabilities and few companies reliably do it, especially in SaaS platforms where there's no end-user patching activity that needs to be motivated.

You haven't even heard about a fraction of the horrible vulnerabilities internal teams at tech companies have discovered over the years.

But Doug MacMillan—@dmac1—spots something different this time:

Bigger stakes now: GDPR is in effect.

One big question for regulators will be whether Google notified the public in a timely manner. It discovered this bug on November 13 and disclosed it 27 days later.

Meanwhile, FreeInFlorida snarks it up some more:

Wait. Google+ had 52 million users?

The moral of the story?

Find your own vulnerabilities before someone else does.

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]

And finally …

Sundar, trying really hard not to laugh

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: youngpreacher (cc:0)

[ Find out how to take control of credentials privilege in your organization in this Oct. 31 Webinar. You'll learn best practices, more. ]