Facebook, Google dismiss researcher's flaw warnings
Researcher Surbo says Facebook and Google are ignoring the importance of vulnerabilities he recently discovered.
Surbo, who some of you might remember from his discovery of deep vulnerabilities in the Evite program, contacted me a few weeks ago about some new vulnerabilities he discovered in Facebook and Google+ that allowed him to produce a post to the Google+ stream that "does not allow the reader to know where the link is taking them."
Yesterday, he contacted me to say his findings have not been taken seriously.
"I reported the issue through Facebook's whitehacker bug submission process and they have never gotten back to me," he said. "I tried to stress to Google how this is an issue but they said they didn't see it as a high-priority matter. The bug also did not qualify for their bug bounty."
They are ignoring the issue at the peril of their users, he warned.
Of the flaw, he said he could produce a "post" to the Google+ stream that does not allow the reader to know where the link is taking them.
He experimented with logging the user out with malicious links and looked at making links that could be used to phish the user.
"The thing that makes this so dangerous is that the user has no way of mousing over the URL to find out where it might be taking them," he said.
Surbo said he will do further testing to see if Facebook has quietly addressed the flaw on its end. Meanwhile, he advised users to proceed with caution.
This isn't the first time Google+ security concerns have come to light.
Over the summer, when hype over Google+ was ramping up, this report from my NetworkWorld colleague Paul McNamara noted how we could expect to see the same spam problems as we've seen on Facebook:
If you're among the millions of early dabblers on Google+, you have probably picked up on an undercurrent of concern there that once the new social network is opened to commercial interests - they're officially taboo, so far -- spammers are sure to rush the doors, too.
Well, an Australian programmer, Robert Norris Hills, says he has demonstrated the ease with which spammers may operate in Google+ by fashioning a bot capable of "circling" some 2,500 Google+ accounts per hour, and a three-minute YouTube video showing the thing in action.
--Bill Brenner
Print
Surbo, who some of you might remember from his discovery of deep vulnerabilities in the Evite program, contacted me a few weeks ago about some new vulnerabilities he discovered in Facebook and Google+ that allowed him to produce a post to the Google+ stream that "does not allow the reader to know where the link is taking them."
Yesterday, he contacted me to say his findings have not been taken seriously.
"I reported the issue through Facebook's whitehacker bug submission process and they have never gotten back to me," he said. "I tried to stress to Google how this is an issue but they said they didn't see it as a high-priority matter. The bug also did not qualify for their bug bounty."
They are ignoring the issue at the peril of their users, he warned.
Of the flaw, he said he could produce a "post" to the Google+ stream that does not allow the reader to know where the link is taking them.
He experimented with logging the user out with malicious links and looked at making links that could be used to phish the user.
"The thing that makes this so dangerous is that the user has no way of mousing over the URL to find out where it might be taking them," he said.
Surbo said he will do further testing to see if Facebook has quietly addressed the flaw on its end. Meanwhile, he advised users to proceed with caution.
This isn't the first time Google+ security concerns have come to light.
Over the summer, when hype over Google+ was ramping up, this report from my NetworkWorld colleague Paul McNamara noted how we could expect to see the same spam problems as we've seen on Facebook:
If you're among the millions of early dabblers on Google+, you have probably picked up on an undercurrent of concern there that once the new social network is opened to commercial interests - they're officially taboo, so far -- spammers are sure to rush the doors, too.
Well, an Australian programmer, Robert Norris Hills, says he has demonstrated the ease with which spammers may operate in Google+ by fashioning a bot capable of "circling" some 2,500 Google+ accounts per hour, and a three-minute YouTube video showing the thing in action.
--Bill Brenner
CSO's Daily Dashboard gives you a one-stop view of latest business threats. We created it for you! Bookmark it! Use it!
Get your morning news fix with the daily Salted Hash e-newsletter!
Previous Post: Getting rid of unflattering Facebook photos: The secure thing to doNext Post: Symantec: Expect more of the same in 2012
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
WHITE PAPER
Reduce Email Archives up to 60%
Are you considering implementing a proactive archiving and eDiscovery solutions? This paper summarizes 15 separate soft cost savings when implementing Symantec Enterprise Vault and the Clearwell eDiscovery Platform.
WHITE PAPER
Aberdeen Report: To Patch, or Not to Patch? (Not If, But How)
The report explores the correlation between the current use of patch management and the level of endpoint-related risk that companies are effectively accepting.
Recent Comments
Webcasts
- The CISO's Survival Guide to Securing Data
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- FireEye Advanced Threat Protection KnowledgeVault
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- Comprehensive Server Protection
White Papers
