Social network Blippy to hire CSO in wake of security woes
CIO - Blippy, a social networking site that allows users to share their purchases and discuss shopping with others, will revamp its security plans and hire a Chief Security Officer after an embarrassing incident in which the site accidentally published a few of its members' credit card numbers on Google.
(CSO first reported concerns about Blippy in ShmooCon: Inside Farmville's Sinister Underbelly.)
Blippy Co-founder and CEO Ashvin Kumar said in a blog post this week that the slip-up occurred as a result of a technical oversight back in February that caused raw transaction data to appear within the HTML code on some Blippy pages for about half a day.
"Up until that day in early February, based on the raw transaction data we had observed during our beta period, we incorrectly considered raw data fairly harmless," said Kumar. "As we have always strived to be highly attentive to potential security and privacy problems, we quickly patched the issue and took extra precautions to never ever expose raw transaction data again."
Also see Social Media Risks: The Basics on CSOonline.com
However, according to Kumar, Blippy officials failed to realize until recently that in that half-day period of exposure, Google had crawled and indexed a portion of Blippy' pages. Even though the sensitive information was hidden in the HTML and not visible in plain view, the Google crawler observed it and recorded the information to put into its search index.
"Google effectively took a snapshot of Blippy during that half day period," explained Kumar in the post. "Though our site has changed considerably since early February, Google's snapshot of these pages did not update, which effectively extended a half day exposure into a three month exposure. While Google provides webmasters with tools to remove pages from its index, we overlooked the fact that Blippy could have been crawled by Google during the period of the exposure."
Kumar said Blippy executives have hammered out a security plan that aims to prevent further security missteps. It includes hiring a Chief Security Officer and associated staff that will focus solely on issues relating to information security. Blippy will also undergo regular 3rd-party infrastructure and application security audits and create a security and privacy center, in addition to other measures included in the plan.
In February, CSO reported that presenters at ShmooCon noted that penetration testers love Blippy because of the naked insight it offers into the spending habits of specific individuals. They also shared a favorite quote making its way around the infosec community: "I joined Blippy and all I got was jacked at the ATM." In 10 Security Reasons to Quit Facebook, CSO spoke with several security experts who noted that social networks like Blippy put privacy at peril and make users an easy target for social engineering attacks and other crimes.
- 2014 IT Workplace Trends and Salary Guide Staying competitive in the IT market can be challenging. This guide provides you with insight into variety of IT workplace trends including, U.S....
- The Shortfall of Network Load Balancing Applications running across networks encounter a wide range of performance, security, and availability challenges as IT department strive to deliver fast, secure access...
- Leave No App Behind with Software Defined Application Services F5 Software Defined Application Services (SDAS) is the next-generation model for delivering application services that enables service injection, consumption, automation, and orchestration across...
- Five Key Issues for DNS - The Next Network Management Challenge Since every icon and URL and all embedded content on a website requires a DNS lookup, loading complex sites necessitates hundreds of DNS...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All IT Careers White Papers | Webcasts
Our 28th annual survey results show which IT skills are in high demand and which are cooling off. Also, see how your salary stacks up to peers' with our Smart Salary Tool.