Security Breaches Examples – Google+

We have dedicated this blog to real-world security breaches with emphasis on attacks targeting the API layer. In this series of blog posts, we will examine the most notable security attacks along with some background on the root cause, business impact and prevention best practices.

We’ll kick off the first blog post with an overview of the API attack that targeted Google+ and that forced the tech giant to shut down its social network.

Background

On December 10, 2018, Google revealed that Google+ had suffered another massive data breach, forcing the tech giant to shut down its social network four months earlier than its actual scheduled date.

The root cause of the problem was a critical security vulnerability in one of Google+’s People APIs that allowed developers to retrieve private information from 52.5 million users, including their name, email address, occupation, and age. The API endpoint in question is called “People: get” that was designed to let developers request basic information associated with a user profile. However, a software update in November 2018 introduced a security vulnerability in the Google+ People API that allowed third-party app developers to view users’ information even if a user profile was set to not-public. The security issue was discovered and fixed within a week of the issue being introduced – but it was too late to prevent the API vulnerability from being exploited by hackers.

Analysis

APIs drive almost all kinds of applications – including web, mobile, IoT and many others. The API layer is the visible backbone of any application; it’s where all the data and requests get processed. As a result of that, the API layer exposes a very large surface area for attacks – as evident in the Google+ API attack example. Hackers are now targeting API-specific vulnerabilities, specifically around data access controls including RBAC and ABAC. In the Google+, hackers exposed user data from 52.5 million accounts.

How Could This Have Been Prevented?

FX Labs is the answer to attacks targeting the API layer because our automated platform, APISec, can instantly test every API endpoint and is granular enough to detect the Top 20 API vulnerabilities (including RBAC and ABAC). No other platform can make your APIs as safe as we can, which is why some of the largest companies use our platform.

During our latest engagement, our platform found 25 critical ABAC vulnerabilities for one of the largest financial services companies in the world. These types of vulnerabilities are impossible to find otherwise and would have allowed one user unauthorized access to the resources of other tenants.

This could have cost them not only fraud and lawsuits but also additional punishments for breaching GDPR guidelines.

Contact us today to schedule a demo or for a quick test-drive on your APIs

2019-03-12T10:30:38-07:00

About the Author:

Amjad Afanah is serial entrepreneur with extensive experience in API security, cloud automation and application management. He is currently the co-founder of FX Labs, an enterprise-class API security management company that allows enterprises to protect their applications from attacks targeting the API layer - which represent the vast majority of all security vulnerabilities today. He successfully co-founded and led DCHQ, a cloud management and container orchestration company, to a successful acquisition. He held leadership roles at HyperGrid, VMware and Oracle.. Amjad holds a bachelors degree in computer science from MIT and an MBA degree from UCLA.

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.