Spammers are turning to Google and Yahoo! to help them spread their wares. Shouldn’t Google and Yahoo! follow industry best practices of confirming your interest before sending you email?
Do you have a Google Profile? Did you find yourself getting cobbywobbles when you read the headlines in the security press?
Here’s just a handful of the many headlines that have appeared in the last few days:
“35 Million Google Profiles Captured In Database”, Information Week
“35m Google Profiles dumped into private database”, The Register
Matthijs R. Koot, a PhD student at the University of Amsterdam, was able to create a database of 35 million Google Profiles, scooping up real names, email addresses, biographical information, Twitter feeds, links to Picasa photos, etc.
Sound scary to you? If so, maybe you’re one of those people who has populated your Google Profile with a large amount of private information that you wouldn’t like to fall into the hands of ne’er-do-wells.
At first glance the headlines might appear worrying. But there’s one important thing you need to know.
All of this information was already available to anyone on the internet.
You may remember that last year security researcher Ron Bowes conducted a similar experiment with Facebook, creating a database of 100 million Facebook users who had left their profiles open for anybody to view.
Koot has done something similar – but with Google Profiles. He wrote a relatively simple script (which he published on the net for others to try out) that harvests Google Profile data – and in the process, revealed that many users were potentially being careless with their personal information.
So, Koot hasn’t actually exposed any new information. He’s just written a script to collect together data which was already out there.
Google Profile allows you to choose the nature of the url to your profile. You can either have a random-looking number, or the username they use for Google Gmail.
For instance, Matthijs R. Koot has the option of using:
However, Google Profile users are explicitly warned that if they choose to customise their URL with their GMail username, they will be making their email address publicly discoverable.
Koot says that he conducted the test to expose how careless people were being with Google Profile, and in particular that they were exposing their email addresses.
He discovered that approximately 40% of the 35 million Google Profiles he accessed exposed the owner’s username and hence their @gmail.com address. That’s 15 million exposed email addresses.
There’s an obvious potential for spear phishing and malware campaigns when you have access to such a hoard of legitimate email addresses. Especially when they can be combined with other personal information shared on your Google Profile.
Google Profile users can adjust their settings to not allow their profiles to be indexed by search engines. But that’s not really fixing the main problem.
Wouldn’t it be better to choose not to post personal information in the first place?
One problem, of course, is that you may not actually realise that you already have a Google Profile.
After all, Google freely admits that “if you’ve been writing reviews on Google Maps, posting buzz on Google Buzz, creating articles on Google Knol, sharing Google Reader items, or adding books to your Google Book Search library, you may already have a profile.”
Maybe now is the time to check if you have a Google Profile, and – if you do – that you’re comfortable with the information you’re sharing through it.
Ultimately, though, remember the golden rule. If you don’t want a piece of information to fall into the hands of hackers/your boss/your mother-in-law then maybe it’s best not to post it on the internet in the first place.
There’s good news for any owners of Android devices worried about the recently announced security vulnerability that could allow allow unauthorised parties to snoop on your Google Calendar and Contacts information.
Google has already started rolling out a fix!
The issue had already been fixed in Android 2.3.4 (codenamed Gingerbread), but as we mentioned earlier this week over 99% of Android users are running earlier versions of the operating system.
Google has started to implement a server-side patch that addresses the issue for all versions of the Android OS. The great news is that it doesn’t require a software update on the Android devices themselves – meaning the fix is automatic and worldwide. Effectively this is a silent fix.
The fix addresses a vulnerability with the use of authTokens for Google’s Calendar and Contacts apps discovered by researchers at Germany’s University of Ulm, but a similar issue with Picasa is still being investigated. If not fixed, the problems could mean that a hacker could snoop on your activity when you use an unencrypted WiFi hotspot and steal personal information.
Google reckons the work will be complete, and all devices secured from this vulnerability, within the week by forcing its servers to use an encrypted HTTPS connection when Android phones try to sync with them.
Here’s what a Google spokesperson had to say:
"Today [May 18th] we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days."
So, it’s a very good thing that this problem is being fixed. Of course, concerns still remain as to how easy it would be to fix a serious security vulnerability on the Android devices themselves, given that Google is so reliant on manufacturers and carriers to push out OS updates.
According to German researchers, 99% of Android devices might be at risk from a vulnerability which could allow unauthorised parties to snoop on your Google Calendar and Contacts information.
The discovery by the University of Ulm researchers brings to light a serious privacy issue, and underlines the difficulty that many Android smartphone owners appear to face keeping their operating systems up-to-date.
According to the paper by Bastian Könings, Jens Nickels, and Florian Schaub, entitled “Catching AuthTokens in the Wild: The Insecurity of Google’s ClientLogin Protocol”, in Android 2.3.3 and earlier the Calendar and Contacts apps transmit information “in the clear” via HTTP, and retrieve an authentication token (authToken) from Google.
That means that there’s the potential for cybercriminals to eavesdrop on WiFi traffic and steal the authToken that your smartphone has just generated.
As authTokens can be used for several days for subsequent requests, hackers can exploit them to access what should be private services and data – such as your web-based calendar. Furthermore, it turns out that the generated authTokens are not linked to a particular phone, so they can be easily used to impersonate a handset.
The scenario is a real problem if you use an unencrypted WiFi hotspot (such as those commonly available in hotel lobbies, airports or at the coffee shop on the corner of your street), as someone could snoop on your authToken and abuse it.
According to the researchers, Google has fixed the problem in Android 2.3.4. But there’s the rub. Just how many people are still running older versions of the Android OS?
Approximately 99% of Android users are vulnerable, as they haven’t updated to at least version 2.3.4 (codenamed “Gingerbread”).
Unfortunately it’s not always possible to easily upgrade the version of Android running on your phone as you are very dependent on your mobile phone manufacturer and carrier providing the update to you over the air.
There is a huge range of Android smartphones out there, and whereas Apple can issue a single iOS update to patch iPhones and iPads, things aren’t so simple for Google’s users. This fragmentation inevitably leaves Android devices open to security problems.
Fortunately, Google seems to be aware of this pain, and says it will work more closely with manufacturers and carriers to ensure users can receive the latest Android updates in the future.
But what should you do if you’re a concerned Android owner?
My recommendation would be to upgrade to the latest version of Android if at all possible.
Furthermore, do not use open WiFi networks as your communications may not be properly protected. If you’re worried about this latest security issue you might be wise to connect to the internet via 3G from their smartphone rather than using unencrypted public WiFi connections.
Using 3G may eat into your data plan, but it’s far less likely that your communications are being snooped upon.
Update: Good news. Google has started rolling-out a fix for this vulnerability.