Social network Blippy to hire CSO in wake of security woes
CIO - Blippy, a social networking site that allows users to share their purchases and discuss shopping with others, will revamp its security plans and hire a Chief Security Officer after an embarrassing incident in which the site accidentally published a few of its members' credit card numbers on Google.
(CSO first reported concerns about Blippy in ShmooCon: Inside Farmville's Sinister Underbelly.)
Blippy Co-founder and CEO Ashvin Kumar said in a blog post this week that the slip-up occurred as a result of a technical oversight back in February that caused raw transaction data to appear within the HTML code on some Blippy pages for about half a day.
"Up until that day in early February, based on the raw transaction data we had observed during our beta period, we incorrectly considered raw data fairly harmless," said Kumar. "As we have always strived to be highly attentive to potential security and privacy problems, we quickly patched the issue and took extra precautions to never ever expose raw transaction data again."
Also see Social Media Risks: The Basics on CSOonline.com
However, according to Kumar, Blippy officials failed to realize until recently that in that half-day period of exposure, Google had crawled and indexed a portion of Blippy' pages. Even though the sensitive information was hidden in the HTML and not visible in plain view, the Google crawler observed it and recorded the information to put into its search index.
"Google effectively took a snapshot of Blippy during that half day period," explained Kumar in the post. "Though our site has changed considerably since early February, Google's snapshot of these pages did not update, which effectively extended a half day exposure into a three month exposure. While Google provides webmasters with tools to remove pages from its index, we overlooked the fact that Blippy could have been crawled by Google during the period of the exposure."
Kumar said Blippy executives have hammered out a security plan that aims to prevent further security missteps. It includes hiring a Chief Security Officer and associated staff that will focus solely on issues relating to information security. Blippy will also undergo regular 3rd-party infrastructure and application security audits and create a security and privacy center, in addition to other measures included in the plan.
In February, CSO reported that presenters at ShmooCon noted that penetration testers love Blippy because of the naked insight it offers into the spending habits of specific individuals. They also shared a favorite quote making its way around the infosec community: "I joined Blippy and all I got was jacked at the ATM." In 10 Security Reasons to Quit Facebook, CSO spoke with several security experts who noted that social networks like Blippy put privacy at peril and make users an easy target for social engineering attacks and other crimes.
- Why Projects Fail CIOs are expected to deliver more projects that transform business, and do so on time, on budget and with limited resources.
- The New Business Case for Video Conferencing: 7 Real-World Benefits Beyond Cost-Savings This whitepaper provides insight into the value of video conferencing in today's business environment, and how organizations are using visual collaboration to find...
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Audit Ready and Asset Optimized: The Solid Promise of an Intelligent Software Asset Management Solution In this paper Frost & Sullivan examines the benefits of enterprise-grade Software Asset Management solutions, and how these solutions serve as the convergence...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All IT Careers White Papers | Webcasts