Connect with us

Hi, what are you looking for?


Cloud Security

Beware of Googlers Bearing Gifts

Google is reported to have “declared war on the password”. While we all just hate passwords and “a quick tap on your computer with the ring on your finger” sounds like a much cooler way to login, making changes in a fundamental mechanism such as authentication should be thoroughly and carefully considered.

Google is reported to have “declared war on the password”. While we all just hate passwords and “a quick tap on your computer with the ring on your finger” sounds like a much cooler way to login, making changes in a fundamental mechanism such as authentication should be thoroughly and carefully considered.

The proposed changes, along with their merits, may carry some serious implications, especially on end-users’ privacy. These concerns are heightened when the initiative originates from a commercial party, which its business model is mostly based on utilizing end user’s data for the sake of more effective advertising campaigns.

Chart of Google Business Model

Figure 1 According to, Google generates over 96% of its revenues from advertising

Google’s “password killer” initiative

Stealing passwords is often an important milestone in a hacking campaign, as passwords provide access to secret data which is the end goal of the attackers. In order to maliciously obtain passwords attackers may abuse either client side vulnerabilities with a password stealing malware, server side vulnerabilities by hacking into the database where passwords are stored, or “user-side” social vulnerabilities with phishing sites. In an article named “Authentication at Scale” (The article is behind the paywall of “IEEE Security & Privacy” magazine ), Google’s researchers suggest a “Device-Centric Authorization” to mitigate many of these threats:

“Imagine … that each client device you own had its own strongly asserted identity. When you acquire a new device, you “bless” it with the ability to access your account. This delegation step might require the device to submit multiple factors on your behalf the very first time, or might require an out-of-band pairing protocol. From then on, the device always asserts its unique credential to server. As a result of this delegation, your device (or your well-isolated profile on a shared device) is permanently granted access to your data.”

USB Security Token

Figure 2 Physical USB token

Advertisement. Scroll to continue reading.

The proposed solution is said to increase the end user’s privacy, as “the secure element never returns a previously generated public key in any new registration step. This makes it hard to track a user across websites by using the token as a super-cookie that bypasses other anonymizing precautions.”

Increasing the end-users’ privacy is an admirable cause, but Google didn’t seem to be so interested with it when it came to implementing the “Do Not Track” feature. The Do Not Track (DNT) is a proposed HTTP header field that requests that a web application disable its tracking of an individual user. Google’s Chrome was the last major browsing platform to support the feature .

An alternative explanation to Google’s motivation

Creating a complete customer profile is the holy grail of advertising, allowing advertisers to invest their advertising budget only in the relevant target audience. However, establishing such a profile of the user’s activities across websites is not an easy task, as the user may use a different username for each application or would prefer to remain anonymous to the website due to the annoying registration process.

By “magically blessing” a device to authenticate on the user behalf many of these problems are solved, as the registration and authentication involve a significantly smaller effort for the user on one hand and associates a unique identification with the user across different devices and services on the other hand. And the best part – the implementation disables other sites from establishing the same identity via a “super cookie”, leaving that knowledge only the device itself which is, of course, created by Google and therefore may expose the information exclusively to Google and its advertising customers.

If you think this explanation of Google concealing a move aimed to gain a competitive advantage as a move aimed to increase end users privacy to be a farfetched one, consider the following case. More than a year ago, Google switched its search functionality to be under SSL encryption. A consequence of this move was the blocking of the transfer of the HTTP referrer information which includes the search terms used by the user to the referred websites. However, Google made that information available for its true customers, the advertisers. In the words of the “search engine guru”, Danny Sullivan:

Google SSL Search Results

Figure 3 Google search switch to SSL blocks search term from target website (unless it’s an advertiser)

“So why do it? One reason is that it makes Google more competitive. If someone lands on your web site, and you know the search term they used, you can then target them in various ways across the web with ads you believe reflect that search interest. All you need is the initial term. This is called “retargeting,” and Google’s a leading provider of retargeted ads. When you cut the referrers out, except for your own advertisers, Google makes it harder for its competitors to offer retargeting services.

Another benefit is that it prevents anyone but Google’s own advertisers from doing keyword-level conversion tracking. With search referrers, you can determine what someone who searched for a particular term later did on your site. What further pages did they go to? Did they purchase a product or service? Without the search terms, you can’t do this degree of analysis. That is, of course, unless you buy an ad. Conversion tracking at the keyword level turns into another sales feature for Google.”

The price of privacy is eternal vigilance

The technological version of the “There ain’t no such thing as a free lunch” adage claims that “If you use a tech service for free then product is you”. Google is not “Scroogling” their end users, as their competitors would like us to believe. They just want to provide value for their true customers, the advertisers, by selling them a good product: data on the non-paying end-users.

Therefore, when it comes to setting the standards for crucial internet functionality such as authentication, the Internet community must remain vigilant and carefully examine and scrutinize change proposals, to ensure they support the greater good of all of the Internet users.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.