Social network Blippy to hire CSO in wake of security woes
CIO - Blippy, a social networking site that allows users to share their purchases and discuss shopping with others, will revamp its security plans and hire a Chief Security Officer after an embarrassing incident in which the site accidentally published a few of its members' credit card numbers on Google.
(CSO first reported concerns about Blippy in ShmooCon: Inside Farmville's Sinister Underbelly.)
Blippy Co-founder and CEO Ashvin Kumar said in a blog post this week that the slip-up occurred as a result of a technical oversight back in February that caused raw transaction data to appear within the HTML code on some Blippy pages for about half a day.
"Up until that day in early February, based on the raw transaction data we had observed during our beta period, we incorrectly considered raw data fairly harmless," said Kumar. "As we have always strived to be highly attentive to potential security and privacy problems, we quickly patched the issue and took extra precautions to never ever expose raw transaction data again."
Also see Social Media Risks: The Basics on CSOonline.com
However, according to Kumar, Blippy officials failed to realize until recently that in that half-day period of exposure, Google had crawled and indexed a portion of Blippy' pages. Even though the sensitive information was hidden in the HTML and not visible in plain view, the Google crawler observed it and recorded the information to put into its search index.
"Google effectively took a snapshot of Blippy during that half day period," explained Kumar in the post. "Though our site has changed considerably since early February, Google's snapshot of these pages did not update, which effectively extended a half day exposure into a three month exposure. While Google provides webmasters with tools to remove pages from its index, we overlooked the fact that Blippy could have been crawled by Google during the period of the exposure."
Kumar said Blippy executives have hammered out a security plan that aims to prevent further security missteps. It includes hiring a Chief Security Officer and associated staff that will focus solely on issues relating to information security. Blippy will also undergo regular 3rd-party infrastructure and application security audits and create a security and privacy center, in addition to other measures included in the plan.
In February, CSO reported that presenters at ShmooCon noted that penetration testers love Blippy because of the naked insight it offers into the spending habits of specific individuals. They also shared a favorite quote making its way around the infosec community: "I joined Blippy and all I got was jacked at the ATM." In 10 Security Reasons to Quit Facebook, CSO spoke with several security experts who noted that social networks like Blippy put privacy at peril and make users an easy target for social engineering attacks and other crimes.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- SDCRAA Case Study: Adapting ERP to business needs This case study goes in depth about San Diego County Regional Airport Authority's created flexibility for a changing industry.
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All IT Careers White Papers | Webcasts