Privacy /Google / anyone gets 36 million database that includes YOU.

Epsilon Fell To Spear-Phishing Attack

Breach apparently lasted for months despite warning of targeted attacks against email service providers.
10 Massive Security Breaches   10 Massive Security Breaches   10 Massive Security Breaches   10 Massive Security Breaches   10 Massive Security Breaches   10 Massive Security Breaches   10 Massive Security Breaches   10 Massive Security Breaches   10 Massive Security Breaches   10 Massive Security Breaches   10 Massive Security Breaches

35 Million Google Profiles Captured In Database

Caveat poster: A security researcher has assembled a single database
containing 35 million people’s Google Profiles information, including
Twitter feeds, real names, and email addresses, among other data points.
Google bills Profiles as a way to “decide what the world sees when it
searches for you.”
But Matthijs R. Koot, a privacy and anonymity researcher at the
University of Amsterdam, also found that because of the nature of Google
Profiles–it’s meant to be indexed by search engines–he was able to
easily save available information into a SQL database. Doing so required
about a month’s effort “to retrieve the data, convert it to SQL using
spidermonkey and some custom Javascript code, and import it into a
database,” he said in a blog post.
 

1 Database Containing 35.000.000 Google Profiles. Implications?

In February 2011 it showed trivial to create a database containing ALL ~35.000.000 Google Profiles without Google throttling, blocking, CAPTCHAing or otherwise make more difficult mass-downloading attempts. It took only 1 month to retrieve the data, convert it to SQL using spidermonkey and some custom Javascript code, and import it into a database. The database contains Twitter conversations (also stored in the OZ_initData variable) , person names, aliases/nicknames, multiple past educations (institute, study, start/end date),multiple past work experiences (employer, function, start/end date), links to Picasa photoalbums, …. — and in ~15.000.000 cases, also the username and therefore @gmail.com address. In summary: 1 month + 1 connection = 1 database containing 35.000.000 Google Profiles. 

My activities are directed at inciting, or poking up, debate about privacy — NOT to create DISTRUST but to achieve REALISTIC trust — and the meaning of “informed consent”. Which, when signing up for online services like Google Profile, amounts to checking a box. How can a user possibly be considered to be “informed” when they’re not made aware 1) about the fact that it does not seem to bother Google that profiles can be mass-downloaded (Dutch) and 2) about misuse value –or hopefully the lack of it– of their social data to criminals and certain types of marketeers? Does this enable mass spear phishing attacks and other types of social engineering, or is that risk negligible, e.g. because criminals use other methods of attack and/or have other, better sources of personal data? Absence of ANY protection against mass-downloading is the status quo at Google Profile. Strictly speaking I did not even violate Google policy in retrieving the profiles, because http://www.google.com/robots.txt explicitly ALLOWS indexing of Google Profiles and my code is part of a personal experimental search engine project.

One thought on “Privacy /Google / anyone gets 36 million database that includes YOU.”

Leave a Reply

Your email address will not be published. Required fields are marked *