Security Blog
The latest news and insights from Google on security and safety on the Internet
Spurring more vulnerability research through increased rewards
April 23, 2012
Posted by Adam Mein and Michal Zalewski, Security Team
We
recently marked
the anniversary of our
Vulnerability Reward Program
, possibly the first permanent program of its kind for web properties. This collaboration with the security research community has far surpassed our expectations: we have received over 780 qualifying vulnerability reports that span across the hundreds of Google-developed services, as well as the software written by fifty or so companies that we have acquired. In just over a year, the program paid out around $460,000 to roughly 200 individuals. We’re confident beyond any doubt the program has made Google users safer.
Today, to celebrate the success of this effort and to underscore our commitment to security, we are rolling out
updated rules
for our program — including new reward amounts for critical bugs:
$20,000
for qualifying vulnerabilities that the reward panel determines will allow code execution on our production systems.
$10,000
for SQL injection and equivalent vulnerabilities; and for certain types of information disclosure, authentication, and authorization bypass bugs.
Up to
$3,133.7
for many types of XSS, XSRF, and other high-impact flaws in highly sensitive applications.
To help focus the research on bringing the greatest benefit to our users, the new rules offer reduced rewards for vulnerabilities discovered in non-integrated acquisitions and for lower risk issues. For example, while every flaw deserves appropriate attention, we are likely to issue a higher reward for a cross-site scripting vulnerability in
Google Wallet
than one in
Google Art Project
, where the potential risk to user data is significantly smaller.
Happy hunting - and if you find a security problem, please
let us know
!
An improved Google Authenticator app to celebrate millions of 2-step verification users
March 30, 2012
Posted by Sara "Scout" Sinclair, Associate Product Manager, Google Security Team
Since we first made 2-step verification available to
all Google users
in February of 2011, millions of people around the world have chosen to use this extra layer of security to protect their Google Accounts. Thousands more are signing up every day. And recently, we updated the feature’s companion smartphone app,
Google Authenticator
, for Android users.
2-step verification works by requiring users to enter a verification code when signing in using a computer they haven’t previously marked as “
trusted
.” Many users choose to receive their codes via SMS or voice call, but smartphone users also have the option to generate codes on their phone by
installing the Google Authenticator app
— an option that is particularly useful while traveling, or where cellular coverage is unreliable. You can use Google Authenticator to generate a valid code even when your phone isn’t connected to a cellular or data network.
We want 2-step verification to be simple to use, and therefore we are working continually to make it easier for users to sign up, manage their settings, and maintain easy access to their verification codes at any time and from anywhere. Our updated Google Authenticator app has an improved look-and-feel, as well as fundamental upgrades to the back-end security and infrastructure that necessitated the migration to a new app. Future improvements, however, will use the familiar Android update procedure.
Current Google Authenticator users will be prompted to upgrade to the new version when they launch the app. We’ve worked hard to make the upgrade process as smooth as possible, but if you have questions please refer to the
Help Center article
for more information. And, if you aren’t already a 2-step verification user, we encourage you to
give it a try
.
Celebrating one year of web vulnerability research
February 9, 2012
Posted by Adam Mein, Technical Program Manager, Google Security Team
In November 2010, we
introduced
a different kind of vulnerability reward program that encourages people to find and report security bugs in Google’s web applications. By all available measures, the program has been a big success. Before we embark further, we wanted to pause and share a few things that we’ve learned from the experience.
“Bug bounty” programs open up vulnerability research to wider participation.
On the morning of our announcement of the program last November, several of us guessed how many valid reports we might see during the first week. Thanks to an already successful
Chromium reward program
and a healthy stream of regular contributions to our
general security submissions
queue, most estimates settled around 10 or so. At the end of the first week, we ended up with 43 bug reports. Over the course of the program, we’ve seen more than 1100 legitimate issues (ranging from low severity to higher)
reported by over 200 individuals
, with 730 of those bugs qualifying for a reward. Roughly half of the bugs that received a reward were discovered in software written by approximately 50 companies that Google acquired; the rest were distributed across applications developed by Google (several hundred new ones each year). Significantly, the vast majority of our initial bug reporters had never filed bugs with us before we started offering monetary rewards.
Developing quality bug reports pays off... for everyone.
A well-run vulnerability reward program attracts high quality reports, and we’ve seen a whole lot of them. To date we’ve paid out over $410,000 for web app vulnerabilities to directly support researchers and their efforts. Thanks to the generosity of these bug reporters, we have also donated $19,000 to charities of their choice. It’s not all about money, though. Google has gotten better and stronger as a result of this work. We get more bug reports, which means we get more bug fixes, which means a safer experience for our users.
Bug bounties — the more, the merrier!
We benefited from looking at
examples
of other types of vulnerability reward programs when designing our own. Similarly, in the months following our reward program kick-off, we saw
other
companies
developing reward programs and starting to
focus more on web properties
. Over time, these programs can help companies build better relationships with the security research community. As the model replicates, the opportunity to improve the overall security of the web broadens.
And with that, we turn toward the year ahead. We’re looking forward to new reports and ongoing relationships with the researchers who are helping make Google products more secure.
Android and Security
February 2, 2012
Posted by Adrian Ludwig, Android Security Engineer
We frequently get asked about how we defend Android users from malware and other threats. As the Android platform continues its tremendous growth, people wonder how we can maintain a trustworthy experience with Android Market while preserving the openness that remains a hallmark of our overall approach. We’ve been working on lots of defenses, and they have already made a real and measurable difference for our users’ security. Read more about how we defend against malware in Android Market on the Google Mobile Blog
here
.
Landing another blow against email phishing
January 30, 2012
(Cross-posted from the
Gmail Blog
)
Posted by Adam Dawes, Product Manager
Email phishing, in which someone tries to trick you into revealing personal information by sending fake emails that look legitimate, remains one of the biggest online threats. One of the most popular methods that scammers employ is something called
domain spoofing
. With this technique, someone sends a message that seems legitimate when you look at the “From” line even though it’s actually a fake. Email phishing is costing regular people and companies millions of dollars each year, if not more, and in response, Google and other companies have been talking about how we can move beyond the solutions we’ve developed individually over the years to make a real difference for the whole email industry.
Industry groups come and go, and it’s not always easy to tell at the beginning which ones are actually going to generate good solutions. When the right contributors come together to solve real problems, though, real things happen. That’s why we’re particularly optimistic about
today’s announcement
of DMARC.org, a passionate collection of companies focused on significantly cutting down on email phishing and other malicious mail.
Building upon the work of previous mail authentication standards like
SPF
and
DKIM
, DMARC is responding to domain spoofing and other phishing methods by creating a standard protocol by which we’ll be able to measure and enforce the authenticity of emails. With DMARC, large email senders can ensure that the email they send is being recognized by mail providers like Gmail as legitimate, as well as set policies so that mail providers can reject messages that try to spoof the senders’ addresses.
We’ve been active in the leadership of the DMARC group for almost two years, and now that Gmail and several other large mail senders and providers — namely Facebook, LinkedIn, and PayPal — are actively using the DMARC specification, the road is paved for more members of the email ecosystem to start getting a handle on phishing. Our recent data indicates that roughly 15% of non-spam messages in Gmail are already coming from domains protected by DMARC, which means Gmail users like you don’t need to worry about spoofed messages from these senders. The phishing potential plummets when the system just works, and that’s what DMARC provides.
If you’re a large email sender and you want to try out the DMARC specification, you can learn more at the
DMARC website
. Even if you’re not ready to take on the challenge of authenticating all your outbound mail just yet, there’s no reason to not sign up to start receiving reports of mail that fraudulently claims to originate from your address. With further adoption of DMARC, we can all look forward to a more trustworthy overall experience with email.
Tech tips that are Good to Know
January 17, 2012
Posted by Alma Whitten, Director of Privacy, Product and Engineering
(Cross-posted from the
Official Google Blog
)
Does this person sound familiar? He can’t be bothered to type a password into his phone every time he wants to play a game of Angry Birds. When he does need a password, maybe for his email or bank website, he chooses one that’s easy to remember like his sister’s name—and he uses the same one for each website he visits. For him, cookies come from the bakery, IP addresses are the locations of Intellectual Property and a correct Google search result is basically magic.
Most of us know someone like this. Technology can be confusing, and the industry often fails to explain clearly enough why digital literacy matters. So today in the U.S. we’re kicking off
Good to Know
, our biggest-ever consumer education campaign focused on making the web a safer, more comfortable place. Our ad campaign, which we introduced in the U.K. and Germany last fall, offers privacy and security tips: Use
2-step verification
! Remember to lock your computer when you step away! Make sure your connection to a website is
secure
! It also
explains
some of the building blocks of the web like cookies and IP addresses. Keep an eye out for the ads in newspapers and magazines, online and in New York and Washington, D.C. subway stations.
The campaign and
Good to Know website
build on our commitment to keeping people safe online. We’ve created resources like
privacy videos
, the
Google Security Center
, the
Family Safety Center
and
Teach Parents Tech
to help you develop strong privacy and security habits. We design for privacy, building tools like
Google Dashboard
,
Me on the Web
, the
Ads Preferences Manager
and
Google+ Circles
—with more on the way.
We encourage you to take a few minutes to check out the
Good to Know site
, watch
some
of
the
videos
, and be on the lookout for ads in your favorite newspaper or website. We hope you’ll learn something new about how to protect yourself online—tips that are always good to know!
Update
1/17
: Updated to include more background on Good to Know.
Expanding Safe Browsing Alerts to include malware distribution domains
December 1, 2011
Posted by Nav Jagpal, Security Team
For the past year, we’ve been sending notifications to network administrators registered through the
Safe Browsing Alerts for Network Administrators
service when our automated tools find phishing URLs or compromised sites that lead to malware on their networks. These notifications provide administrators with important information to help them improve the security of their networks.
Today we’re adding distribution domains to the set of information we share. These are domains that are responsible for launching exploits and serving malware. Unlike compromised sites, which are often run by innocent webmasters, distribution domains are set up with the primary purpose of serving malicious content.
If you’re a network administrator and haven’t yet registered your AS, you can do so
here
.
Reminder: Safe Browsing version 1 API turning down December 1
November 22, 2011
Posted by Brian Ryner, Security Team
In May we
announced
that we are ending support for the Safe Browsing protocol version 1 on December 1 in order to focus our resources on the
new version 2 API
and the
lookup service
. These new APIs provide simpler and more efficient access to the same data, and they use significantly less bandwidth. If you haven't yet migrated off of the version 1 API, we encourage you to do so as soon as possible. Our
earlier post
contains links to documentation for the new protocol version and other resources to help you make the transition smoothly.
After December 1, we will remove all data from the version 1 API list to ensure that any remaining clients do not have false positives in their database. After January 1, 2012, we will turn off the version 1 service completely, and all requests will return a 404 error.
Thanks for your cooperation, and enjoy using the next generation of Safe Browsing.
Protecting data for the long term with forward secrecy
November 22, 2011
Posted by Adam Langley, Security Team
Last year we introduced
HTTPS by default for Gmail
and
encrypted search
. We’re pleased to see that other major communications sites are following suit and deploying HTTPS in one form or another. We are now pushing forward by enabling
forward secrecy
by default.
Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today. In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic.
Forward secrecy requires that the private keys for a connection are not kept in persistent storage. An adversary that breaks a single key will no longer be able to decrypt months’ worth of connections; in fact, not even the server operator will be able to retroactively decrypt HTTPS sessions.
Forward secret HTTPS is now live for Gmail and many other Google HTTPS services(*), like SSL Search, Docs and Google+. We have also
released the work
that we did on the open source OpenSSL library that made this possible. You can check whether you have forward secret connections in Chrome by clicking on the green padlock in the address bar of HTTPS sites. Google’s forward secret connections will have a key exchange mechanism of ECDHE_RSA.
We would very much like to see forward secrecy become the norm and hope that our deployment serves as a demonstration of the practicality of that vision.
(* Chrome, Firefox (all platforms) and Internet Explorer (Vista or later) support forward secrecy using elliptic curve Diffie-Hellman. Initially, only Chrome and Firefox will use it by default with Google services because IE doesn’t support the combination of ECDHE and RC4. We hope to support IE in the future.)
Safe Browsing Alerts for Network Administrators is graduating from Labs
October 6, 2011
Posted by Nav Jagpal, Security Team
Today, we’re congratulating Safe Browsing Alerts for Network Administrators on its graduation from Labs to its new home at
http://www.google.com/safebrowsing/alerts/
We
announced
the tool about a year ago and have received a lot of positive feedback. Network administrators, large and small, are using the information we provide about malware and phishing URLs to clean up their networks and help webmasters make their sites safer. Earlier this year,
AusCert recognized our efforts
by awarding Safe Browsing Alerts for Network Administrators the title of “Best Security Initiative.”
If you’re a network administrator and haven’t yet registered your AS, you can do so
here
.
Labels
#sharethemicincyber
#supplychain #security #opensource
android
android security
android tr
app security
big data
biometrics
blackhat
C++
chrome
chrome enterprise
chrome security
connected devices
CTF
diversity
encryption
federated learning
fuzzing
Gboard
google play
google play protect
hacking
interoperability
iot security
kubernetes
linux kernel
memory safety
Open Source
pha family highlights
pixel
privacy
private compute core
Rowhammer
rust
Security
security rewards program
sigstore
spyware
supply chain
targeted spyware
tensor
Titan M2
VDP
vulnerabilities
workshop
Archive
2024
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2023
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2022
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2021
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2020
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2019
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2018
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2017
Dec
Nov
Oct
Sep
Jul
Jun
May
Apr
Mar
Feb
Jan
2016
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2015
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2014
Dec
Nov
Oct
Sep
Aug
Jul
Jun
Apr
Mar
Feb
Jan
2013
Dec
Nov
Oct
Aug
Jun
May
Apr
Mar
Feb
Jan
2012
Dec
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2011
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
2010
Nov
Oct
Sep
Aug
Jul
May
Apr
Mar
2009
Nov
Oct
Aug
Jul
Jun
Mar
2008
Dec
Nov
Oct
Aug
Jul
May
Feb
2007
Nov
Oct
Sep
Jul
Jun
May
Feed
Follow @google
Follow
Give us feedback in our
Product Forums
.
Follow