Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Google Flaws. Show all posts
Google security
Advertisement Data Breach data security Google Google Ads Google Flaws Google security

Google Ads Glitch Exposes Sensitive Competitor Data, Causes Reporting Disruption

 

A significant glitch in Google Ads recently disrupted advertisers’ access to critical performance data and inadvertently exposed sensitive competitor information, raising concerns about data security and potential unfair business practices. The issue, which began on July 30, 2024, led to the temporary unavailability of key reporting tools and product management features, complicating campaign management for businesses. 

The main issue with the glitch was the accidental exposure of sensitive competitor information. Between July 30 and July 31, 2024, a small number of advertisers could view unrelated item IDs, product titles, and Merchant Center information from other accounts. This breach allowed advertisers to identify direct competitors by searching through the exposed product titles, raising significant privacy and competitive fairness concerns. Furthermore, the Products, Product Groups, and Listing Groups pages were down across the web interface, API, and Google Ads Editor. This outage prevented advertisers from accessing essential performance data, including insights into competitors’ products and advertising strategies. 

Although the exposed data did not include personal information, it provided valuable insights into competitors’ advertising methods, potentially giving some advertisers an unfair advantage. This incident underscored severe issues regarding data security and the possibility of unethical business practices. Google acknowledged the problem and is actively working to resolve it. Ginny Marvin, a Google Ads liaison, mentioned on X (formerly Twitter) that the team is “actively looking into” the issue and will provide updates as more information becomes available. 

However, the company has not provided detailed information about the cause of the glitch or the number of affected users. In response to this incident, some advertising agencies have started encrypting sensitive information within client accounts to prevent future breaches. As of August 4, 2024, Google reported via its dashboard and product liaison handle on X that while some accounts might still be impacted, services have been fully restored to other accounts. For accounts not affected by this issue, all reporting services have been restored.  

Google has assured users that it is continuing efforts to restore reporting services for the Report Editor and the Products tab for affected accounts. They promised to provide further updates as more information becomes available and to reach out directly to all impacted customers with details on the incident. Advertisers are advised to be cautious when accessing their Google Ads accounts and to avoid acting on any data until Google confirms that the issue is fully resolved. The ongoing efforts by Google to restore all reports online are a positive step towards re-establishing data security and confidence in the platform.
Read more »
Vulnerabilities and Exploits
Bugs Flaw Google Google Flaws Security flaw Vulnerabilities and Exploits

Google WAF Circumvented Via Oversized POST Requests

 

It is possible to circumvent Google's cloud-based defences due to security flaws in the default protection offered by the company's web application firewall (WAF). 

Researchers from security firm Kloudle discovered that by sending a POST request larger than 8KB, they were able to get beyond the web app firewalls on both Google Cloud Platform (GCP) and Amazon Web Services (AWS). 

“The default behaviour of Cloud Armor, in this case, can allow malicious requests to bypass Cloud Armor and directly reach an underlying application,” according to Kloudle. 

"This is similar to the well-documented 8 KB limitation of the AWS web application firewall, however, in the case of Cloud Armor, the limitation is not as widely known and is not presented to customers as prominently as the limitation in AWS.” 

Even if an underlying application is still susceptible, WAFs are designed to guard against web-based attacks like SQL Injection and cross-site scripting. If a targeted endpoint accepts HTTP POST requests "in a manner that could trigger an underlying vulnerability," bypassing this safeguard would bring a potential attacker one step closer to attacking a web-hosted application. 

Kloudle explains in a technical blog post,“This issue can be exploited by crafting an HTTP POST request with a body size exceeding the 8KB size limitation of Cloud Armor, where the payload appears after the 8192th byte/character in the request body." 

Google's Cloud Armor WAF comes with a collection of predefined firewall rules based on the OWASP ModSecurity Core Rule Set, which is open source. The possible attack vector can be blocked by setting a custom Cloud Armor rule to block HTTP requests with request bodies larger than 8192 bytes - a general rule that can be customised to accommodate defined exceptions. 

Even though AWS' WAF has similar issues, Kloudle faulted GCP for neglecting to notify customers about the problem. According to the researchers, other cloud-based WAFs have comparable drawbacks. 

Kloudle told The Daily Swig: “This is part of ongoing work… so far, we have seen request body limitations with Cloudflare, Azure, and Akamai as well. Some have 8KB and others extend to 128KB.” 

In response to questions from The Daily Swig, a Google spokesperson stated that the 8KB restriction is stated in the company's documentation. Kloudle's representative expressed concern over security and functionality. 

The representative explained, “Perimeter security software is hard. I suspect in this case 8KB limit allows them to reliably process other WAF rules. They could be doing more for developer awareness, including adding that rule by default with the option to disable in case someone wants to. As per the shared security responsibility model they put the onus on the end-user to use the service securely.”  

Kloudle's representative expressed sympathy for the security and functionality trade-offs that cloud providers must make but suggested to The Daily Swig that cloud providers could do more to educate consumers about the issue.
Read more »
Subscribe to: Posts (Atom)