(Credit:
Google)
Google said Friday that it was modifying the privacy settings on its JotSpot online collaboration service after a researcher discovered that user e-mail addresses and names were being exposed to the Web without user consent.
Ben Edelman, Harvard Business School professor and security researcher, posted a blog entry on Thursday showing how JotSpot user names and e-mail addresses were easily accessible on Google search.
After being contacted by CNET News, Google issued a statement disavowing any responsibility by saying that the administrators of the JotSpot groups were responsible for setting the privacy controls. If the information was exposed on the Internet it was because the administrators had made it public.
Not satisfied with that response, Edelman pointed out the flaws with that excuse in an update to his original post.
JotSpot users didn't agree to have their names and e-mails made public and Edelman talked to several who said they indeed did not grant consent. Administrator permission is not sufficient to justify the practice, and administrators are not party to the privacy policy "contract" between JotSpot and the users, he added.
In addition, Edelman found that the language relaying this responsibility to administrators was not clear and likely led to administrators mistakenly exposing the information to the Web without meaning to.
"Google should prioritize defaults and options that accommodate reasonable users, reasonable administrators, and standard use cases," he wrote.
In other words, make the policy notice understandable and clear and make it rational. Clearly, those thousands of JotSpot users wouldn't have wanted to have their names and e-mail addresses exposed for strangers and spammers to see, even if the administrator of the group wanted it so.
In response, Scott Johnston, former vice president of products at JotSpot, sent an e-mail to Edelman outlining changes based on his feedback.
"Admins have always been in control of whether to make their wikis public or leave them set to private. JotSpot wikis are private by default, and unless an admin chooses to set it to public, none of the information in that wiki is publicly accessible," Johnston wrote.
"However, based on your feedback, we have taken action to improve the JotSpot user experience by setting the User Management page on all public JotSpot wikis to private, and we are in the process of removing these pages from our cache," the e-mail said. "All private wikis will be unaffected by this change, as their User Management pages have never been publicly accessible."
Updated at 10 p.m. PT with comments from Google.
A researcher has found that Google's JotSpot service, which allows people to collaborate on online documents, exposes user names and e-mail addresses to anyone on the Internet, but Google says the problem is due to administrator users not making the settings private.
As a result, sensitive user data is indexed by Google's crawler and made accessible on the Web, said Ben Edelman, a Harvard Business School professor and security researcher.
This screen shot shows the user management page for a JotSpot group. It lists full names.
(Credit: Ben Edelman)
"This is not a security issue," a Google spokesman said in an e-mail. "The information in these wikis is accessible because they have been set to public on the Site Permissions page. Users are always in control of the information they share. If wikis are set to private, no information will be publicly accessible."
JotSpot Wikis are private by default and no information is made public unless the group administrator changes the privacy controls, the Google spokesman said.
CNET News was able to view full user names, e-mail addresses, and group memberships of JotSpot users. This was done by searching Google for "user management" pages on JotSpot that list registered users for different JotSpot projects or groups. Such a search conducted late on Thursday brought up about 2,800 results.
Each user listed on the user management pages has a link to a page with more information, including an e-mail address.
This was the case even for wiki pages that groups designated specifically as being private, Edelman wrote in a blog post. A test of one of Edelman's examples showed that the user management page for a private group was no longer accessible, so Google may have removed public access to some of those pages.
Clicking on a user name brings up this page with e-mail address of the JotSpot user and other information.
(Credit: Ben Edelman)
Edelman said he notified Google of the security problems a week ago and that some of the affected sites were modified to address the situation Monday.
The security lapse not only exposes data that users believed was protected, but it puts the users at risk of being spammed and of being victimized by a social engineering attack, Edelman said.
Told of Google's comment, Edelman said that even if the problem is due to users not setting the privacy settings adequately, the matter still reflects poorly on Google.
"This is not good design. Showing e-mail addresses is hard to defend" especially when Web crawlers can scoop them up, he said. "It's a question of what users could reasonably understand and accept. The privacy policy doesn't give any indication" that the data could be exposed to the Web.
Google acquired JotSpot two years ago.
The problem also exposes a chink in Google's hosted services business, which relies on customers--individuals and companies--having faith in Google's ability to secure customer data, he said.
"JotSpot's postings are, by all indications, accidental. But in the context of a series of similar slip-ups, this error raises questions about the efficacy of Google's model of hosted applications," Edelman wrote.
Edelman mentions three Gmail-related security weaknesses since January 2007 that exposed full user names, allowed Web sits to retrieve user contact lists and to forward e-mails to attackers from Gmail accounts.
"As these services become increasingly widely used, each slip-up exposes an ever-larger amount of data," he writes. "So far few users seem concerned, but I suspect these hidden challenges will ultimately impede the server-based applications Google envisions."
- prev
- 1
- next
