Posts Tagged ‘facebook’

35 million Google profiles were *already* exposed on the internet

Published by pratyushkp on June 2nd, 2011 - in Social, Technology

Image by ginatrapani via Flickr

Do you have a Google Profile? Did you find yourself getting cobbywobbles when you read the headlines in the security press?

Here’s just a handful of the many headlines that have appeared in the last few days:

“35 Million Google Profiles Captured In Database”, Information Week

“35m Google Profiles dumped into private database?”, The Register

“Entire Google Profile database acquired by a user”, ARN

Matthijs R. Koot, a PhD student at the University of Amsterdam, was able to create a database of 35 million Google Profiles, scooping up real names, email addresses, biographical information, Twitter feeds, links to Picasa photos, etc.

Sound scary to you? If so, maybe you’re one of those people who has populated your Google Profile with a large amount of private information that you wouldn’t like to fall into the hands of ne’er-do-wells.

At first glance the headlines might appear worrying. But there’s one important thing you need to know.

All of this information was already available to anyone on the internet.

You may remember that last year security researcher Ron Bowes conducted a similar experiment with Facebook, creating a database of 100 million Facebook users who had left their profiles open for anybody to view.

Koot has done something similar – but with Google Profiles. He wrote a relatively simple script (which he published on the net for others to try out) that harvests Google Profile data – and in the process, revealed that many users were potentially being careless with their personal information.

So, Koot hasn’t actually exposed any new information. He’s just written a script to collect together data which was already out there.

Google Profile allows you to choose the nature of the url to your profile. You can either have a random-looking number, or the username they use for Google Gmail.

For instance, Matthijs R. Koot has the option of using:

https://profiles.google.com/115572197788225218471

or

https://profiles.google.com/mrkoot

However, Google Profile users are explicitly warned that if they choose to customise their URL with their GMail username, they will be making their email address publicly discoverable.

Koot says that he conducted the test to expose how careless people were being with Google Profile, and in particular that they were exposing their email addresses.

He discovered that approximately 40% of the 35 million Google Profiles he accessed exposed the owner’s username and hence their @gmail.com address. That’s 15 million exposed email addresses.

There’s an obvious potential for spear phishing and malware campaigns when you have access to such a hoard of legitimate email addresses. Especially when they can be combined with other personal information shared on your Google Profile.

Google Profile users can adjust their settings to not allow their profiles to be indexed by search engines. But that’s not really fixing the main problem.

Wouldn’t it be better to choose not to post personal information in the first place?

One problem, of course, is that you may not actually realise that you already have a Google Profile.

After all, Google freely admits that “if you’ve been writing reviews on Google Maps, posting buzz on Google Buzz, creating articles on Google Knol, sharing Google Reader items, or adding books to your Google Book Search library, you may already have a profile.”

Maybe now is the time to check if you have a Google Profile, and – if you do – that you’re comfortable with the information you’re sharing through it.

Ultimately, though, remember the golden rule. If you don’t want a piece of information to fall into the hands of hackers/your boss/your mother-in-law then maybe it’s best not to post it on the internet in the first place.

Source :- http://nakedsecurity.sophos.com/

  • 35 million Google profiles were *already* exposed on the net (nakedsecurity.sophos.com)
  • Google Profiles: Is Easy Aggregation An Invasion Of Privacy? (blogs.forbes.com)
  • 35 Million Google Profiles Captured In Database (informationweek.com)
  • 35m Google Profiles dumped into private database (go.theregister.com)
  • 35 Million Google Profiles Collected (tech.slashdot.org)
  • Infosec Island: Researcher Nabs Details from 35 Million Google Profiles (boxofmeat.net)
  • Google Business Profiles? (googlesystem.blogspot.com)
  • Delete your [Google.com] profile (thebloggingpath.com)
Tags: Doctor of Philosophy, , , , , InformationWeek, Knol, , University of Amsterdam

TimeSpentHere rogue app spreads virally on Twitter

Published by pratyushkp on June 2nd, 2011 - in Social, Technology

Original Post from Sophos . Author – Graham Cluley

Some Twitter users have fallen for yet another rogue application, tricking them into believing that they will discover how many hours they have spent tweeting their little hearts out.

A typical message reads:

WOW --> I have spent 38.1 hours on Twitter! See how much you have: [LINK]

If you are curious enough to click on the link, which – of course – you might do, seeing as it will appear as if one of your Twitter friends has posted it, then you will be asked to authorise a third party app’s request to access your Twitter account.

The app is called TimeSpentHere, and it can only cause a problem for you if you grant it permission to access your Twitter account. If you do, then it will be able to read your Tweets, post in your name, and even change your profile. I’m sure you can imagine the potential for abuse there.

Of course, the very first thing it will do is post a tweet in your name, encouraging your Twitter followers to also click on the link:

Not that you’ll necessary notice that, of course, as it posts the message silently, taking your browser to a webpage of the bad guys’ own creation.

When I tested the scam on a test account, the webpage was reluctant to tell me how many hours I had spent on Twitter (as you can see in the following graphic) but had no qualms in dreaming up an imaginary number to tweet in the hope that it could tempt unsuspecting onlookers.

You’ll notice, however, that they do ask if I wouldn’t mind entering my email address “as a security precaution”. Well, I certainly do mind! And so should you.

Possibly this is an attempt to harvest email addresses, which could be used later for a phishing campaign or malware attack.

It could – of course – be weeks or months before the scammers use any information they grab for criminal purposes, but if you want to find out more follow me on Twitter, and I’ll let you know if there are any developments.

Rogue applications are popping up more and more on Twitter, whereas previously they were mostly seen only by Facebook users.

If you were unfortunate enough to grant a rogue applications access to your Twitter account, revoke its rights immediately by going to the Twitter website and visiting Settings/Applications (it used to be called Settings/Connections but it seems that Twitter has changed it) and revoking the offending app’s rights.

Don’t make it easy for scammers to make money in this way, and always exercise caution about which third party apps you allow to connect with your social networking accounts.

Update: Del Harvey of Twitter’s security team has told me (in her own inimitable style) that the TimeSpentHere rogue application has now been killed off.

@gcluley
Graham Cluley

@delbius Details of another “Time spent on Twitter” rogue app: http://bit.ly/mdeNmL
about 15 hours ago via EchofonReplyRetweetFavorite
@delbius
Del Harvey

@gcluley d-e-d dead.
about 15 hours ago via Twitter for MacReplyRetweetFavorite

I wonder how long until the next rogue app pops up on Twitter though..

  • TimeSpentHere rogue app spreads virally on Twitter (nakedsecurity.sophos.com)
  • Beware the bogus ‘TimeSpentHere’ Twitter app (news.cnet.com)
  • Unfollowed Me rogue application spreads virally on Twitter (pratyushkp.wordpress.com)
  • Lord Gaga video banned? Twitter rogue app spread by scammers (pratyushkp.wordpress.com)
  • Banned Lady Gaga video attack spreads on Twitter via rogue app (pratyushkp.wordpress.com)
  • Twilight Breaking Dawn FB Scam Spreads Virally (pratyushkp.wordpress.com)

Rihanna and Hayden Panettiere sex video spreads Mac malware on Facebook

Published by pratyushkp on June 2nd, 2011 - in Social, Technology

Image by Getty Images via @daylife

Hot on the heels of an earlier Mac malware attack spreading via Facebook links, we are seeing another attempt to infect Mac users on the social network – with what claims to be a sex video of celebrities Rihanna and Hayden Panettiere.

If you see messages like the following on Facebook, please do not click on the links.

one more stolen home porn video Rihanna and Hayden Panettiere

Hot Lesbian Video - Rihanna And Hayden Panettiere!!
[LINK]

Rihanna And Hayden Panettiere !!! Private Lesbian HOT Sex Tape stolen from home archive of Rihanna!

For those who don’t follow such things, Hayden Panettiere played the part of the cheerleader in the sci-fi TV show “Heroes“, and Rihanna is a pop star famous for her umbrella-ella-ella.

Not that you’ll get to see much evidence of that if you click on the link as – on Apple Macs at least – you may find yourself ending up on a webpage which tries to infect you with malware in the form of a fake anti-virus attack.

Has a private lesbian hot sex tape really been stolen from the home archive of Rihanna? Personally I think it’s unlikely, but it’s surprising what people will believe these days (and indeed, what celebrities will get up to) so it’s no wonder that some folks might click on the link.

SophosLabs is adding detection for the various components of this Mac malware attack as OSX/FakeAV-DWK, OSX/FakeAV-DWN, OSX/FakeAvDl-A and OSX/FakeAVZp-C. Users of Sophos products, including the free Mac anti-virus for home users, will be automatically updated.

Source :- http://nakedsecurity.sophos.com

  • Rihanna and Hayden Panettiere sex video spreads Mac malware on Facebook (nakedsecurity.sophos.com)
  • Hayden Panettiere’s Having Midget Sex With Mark Sanchez Now (thesuperficial.com)
  • Facebook Video Scam Puts Malware on Mac and Windows (pcworld.com)
  • Are Hayden Panettiere and Mark Sanchez dating — or just fast-food junkies? (latimesblogs.latimes.com)
  • Are Hayden Panettiere And Mark Sanchez An Item? (socialitelife.com)
  • New Couple Alert: Hayden Panettiere and Mark Sanchez (thehollywoodgossip.com)
  • So True? So False? Hayden Panettiere and Mark Sanchez a Couple?! (eonline.com)
  • IMF boss rape video? Mac malware spreads via Facebook links (blogoholic.in)
Tags: , , Hayden Panettiere, Heroes (TV series), , , Mark Sanchez, New York Jets, Rihanna,
© Social Media Blog

Ad Plugin made by Free Wordpress Themes