Second notable privacy flaw for Google+
by , on 01 July 2011
Hot on the heels of the news about a reshare bug on Google+, we’ve detected another flaw that should be of real concern to users
The Financial Times already reported on the important privacy issue regarding the reshare feature that cannot be disabled by default, and this related flaw presents similar problems.
One of the main features of Google+ is Circles, the possibility to easily share the right content to the right people. However, once the content has been shared to a Circle, anyone can share it by default to other Circles. It boils down to the fact that the tagging feature can be bypassed by using the reshare option. Let's say user “A” shares a picture only to their “Close Friends” circle, and disables resharing. All it takes is for someone from that "Close friend" circle to tag a person from outside this circle in the picture. Once this has been done, that person can share the picture to anyone, in any way.
Whilst it's true that once someone has access to a picture they can save it and redistribute it, the concern here is that Google+ is promoting Circles as a way to be selective about how you share content, yet accidental and even deliberate sharing to other Circles is all too easy to do. Let’s not forget, if it happened to Bono, it can happen to anyone.
UPDATE:
Acording to ZDNET, "As pointed out in the comments, it looks like a partial fix is now available, as a drop-down menu has been enabled for users to disable resharing after a post has already been made." We have tested again, and seems like the resharing disabled feature is working. However, the problem remains that tagging is not fully connected to sharing rights. So, if someone tags users that do not have the right to see a photo, they are still able to do so.
UPDATE nr. 2:
Let’s explain the process here in a little more detail(with the current status of the issue):
1. George shares a photo with his friend Tim, and disables the resharing option(pic1, bottom image)
2. Tim tags a third person, David, in the photo - the post is automatically cloned with different sharing settings
3. This means that the photo will be automatically cloned in a post that can be shared (pic2) with whoever he wants.
On Jul.1.2011 10:07
Catalin said
I'm waiting for the "see who viewed your Google+ profile" scams :D
Any bet?
On Jul.1.2011 18:04
Michele said
I already shared this post on Google+, now everybody can see it outside of those nice blue circles, or not?
Interesting article!
On Jul.2.2011 14:29
PASQUALE-BARBATO said
quando metto la sicurezza del bitdefender..esce prima un nome e cognome senza foto ...dopo esce il mio profilo .la persone e John Doe..come fare ,non mi sento al sicuro ; ho ruba dati o' altro ..
On Jul.3.2011 02:28
Online Strategies said
Ultimately the circles getting overlapped?
Daily "Did you know?"
Authors
-
Bitdefender Security Specialists
Bitdefender Labs -
Catalin Cosoi
Chief Security Researcher -
Dan Lowe
Dan Lowe, an OEM Senior Marketing Manager, has been working with Bitdefender for the last 3 ½ years. His familiarity with multiple security products from Firewalls to Antivirus has provided him a unique perspective on the security industry. -
Ligia Adam
Security Evangelist and Social Media Professional -
Loredana Botezatu
Loredana Botezatu – E-threat Analyst – Loredana has been writing about the IT world and e-security for well over five years. She has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.