August 2, 2011

Is Google+ safer than Facebook?

Tamas Rudnai

Google is synonymous with the Web - from the search engine through Web-based email to video sharing, they are arguably the market leader. However, this has not been the case with social networking. They were constantly searching for a new way to set up a service or an Internet portal to help people connect with each other, finding new friends or even old ones. But it was not only Google who tried this: Yahoo and Microsoft also had a strong proposition to win this market with little success. Then all of a sudden, a young chap called Mark Zuckerberg created a brand new concept and made social networking very popular, and in 6 years they managed to climb all the way up to 2nd place in the Alexa ranking, overtaking many big names like YouTube, Apple, Yahoo and Microsoft.


Facebook came from nowhere, and even challenged Google for the very top rank in popularity. Zuckerberg, as a fresh university graduate, had no experience in how to set up an enormous system like this, but he still smashed it and today is fighting to take the No.1 place as can be seen on the Alexa report.

It's no surprise therefore that Google is constantly looking for a way to beat Facebook and secure their first position. They already have a popular social network called Orkut. OK, it is only popular in some countries like Brazil or India, but still, it proves their concept, they can do it. Also the software giant have done some interesting projects with Google Wave and Google Buzz. None of them really worked out nor got close enough to steal a market share from Facebook, although both got huge attention from the media as well as from users.

New concepts come and go: Google moved on, and have come up with Google+, which is another brand new concept. Looks like Google will keep trying until they get the perfect recipe for the most delicious cake of social networking. They are probably right in sensing the growing need for something new, and that is proved by the overwhelming interest by millions of Internet users.

Google Project

However for us, security experts, it is always of keen interest to see if it is going to be more secure than Facebook? Or could it be just a perfect gateway for spammers?

If we take a look at the key differences between Facebook and Google+, we notice that while on Facebook you need to accept a friend request, on Google+ someone can add you on to their Circles without your prior approval. Later on you may block people - however, it worries me a bit as it makes it fairly easy to use Google+ as a source of Spam messages.

To test this theory I have just put a test message in my Stream on my existing Google+ account, and shared it with my company email address which was not previously registered by Google in any way. When I shared my stream post, I received an email from Google+ including the content of the message I wrote.


Malicious invitations and notifications

The demand for a Google+ account is still high. It is partly the fact that the service is still in beta, and it is kind of cool to tell our friends that we already have an account - it is like saying I am more up-to-date with technology than you are. So if someone receives a message saying ‘This is an invitation to Google+’ there is a big chance that the recipient is very happy about the invitation or perhaps out of curiosity will follow the link without checking its validity.

And here we go, this is the old school security theory again: the weakest link in all security system is the human itself. Even if the interest in getting an account drops in time, as Google+ sends notifications if someone adds you to their Circles, it is only a matter of time before we see similar attacks to old-style Facebook ones - scams using change password phishing mails or the someone added you mail.

Dangers of beta stage

It is not all about the malicious invitations, and there have been some of these already. Google+ is still in beta which in itself creates further problems. Phishing Web sites are quite often used by cyber criminals: they steal the layout and the look of banks, game portals, Web email services and social networks and drive users to these fake sites to let victims enter their credentials or their sensitive data such as personal information or banking details. The very same can happen with Google+: after a malicious invitation or a fake notification, a user can end up on a fake Web site and unless they notice something strange on the page it is likely they will give up their data.

But why is this different than any previously seen issue? As Google+ is still in beta, people do not really know what it looks like. And even if they know, as it is in beta it might change at any time without prior notice from the software giant. So it is much easier to mimic a Google+ logon page, steal Google passwords, and use them for further malicious activities like sending spam to all email addresses in the contact list or sharing a stream to the Circles in the Google+ account.

In addition to this, when creating a Google+ account, Google asks us to download and install a component on our computer in order to be able to make video conferences and multi-party chats called Hangouts. This again is an opportunity for the bad guys to gain from drive-by download attacks on people - as it seems to be quite normal to download and install something when joining this social networking site.


Recommended Privacy Settings

The issue of privacy is also part of data security, namely data or information leakage. You may not want to let everybody know about your feelings, for example telling your boss that you are not happy with your job and looking for a new one. Sometimes a post about this kind of thing is harmless or just funny or awkward, but also it can be a way to seek out confidential company data. And that is possibly the biggest challenge today with the use of a social networking site from the company.

Google+ uses a different concept to Facebook. Google is based around 'Circles', groups of people, and we can decide to share only with certain circles and/or individuals, rather than sharing everything with either 'Friends' only, 'Friends of Friends' or 'Everyone'. We still have a similar option for this though with the 'Your circles' which is equivalent of 'Friends' in Facebook as that means we share the post with all of the circles we have. 'Extended circles' is very similar to 'Friends of friends' and 'Public' is equivalent to 'Everyone'.

Overall Google+ gives us a better resolution of sharing options, and that is the key point here: If we do not want to share a news or a status with everyone we have in our circles, we do not have to. For example we may have circles like friends, colleagues and family and may not want to let colleagues and our family know how drunk or silly we were at a party last night. This could be an awesome feature for some, however, there is a little glitch. If one of our friends re-shares it to a different audience, then we can still end up sharing our posts with those we did not want to. Because of this Google implemented the 'Disable Reshare' option which prevents this from happening.


At the moment it is not easy to get a Google+ account, and this has created an understandable excitement and exclusivity for anyone who has one. Malware authors and spammers are already trying to take advantage of this, so please exercise caution if you do get an invitation to try it out for yourself. At this stage we can only hope that Google's security and spam filtering will work well to prevent malicious activities on this new social networking site. Anticipation is growing for when it launches to the wider public. I’m sure the spammers are looking forward to this day too.  Let’s see what happens.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.