RSnake picks on Google Health... yes, Google wants your medical records, too!

Interesting article from Robert "RSnake" Hansen yesterday on one of Google's new innovations, the Google Health application.  Yeah, imagine that, Google wants to own the content of your medical records, too!  You'd think that Google would want to avoid this due to HIPPA complications, as this is a true example of taking ownership (pwnership) of content, but as RSnake says in his article:

It must be a Wednesday because it’s feeling a lot like “pick on Google” day! Let’s see here, what’s in the news today? Oh! Google Health - from the same company that brought you countless vulnerabilities both fixed and unfixed, with a policy of not alerting people to security issues comes a new service that asks you to input all your most sensitive personal health records! “But it’s medical records,” I can hear people saying, “surely they’ll be as secure as any HIPAA compliant entity.” Except, legally not so much… (from their terms of service):

Google is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (”HIPAA”). As a result, HIPAA does not apply to the transmission of health information by Google to any third party.

Hawhhhaaaaattttt???  So Google doesn't have to respect HIPPA laws?!  As RSnake mentioned, Google, while I think has a very responsive security team, has a policy of not publicly disclosing vulnerabilities.  This means that some of the more interesting attacks pulled off on Google applications, see Billy Rios and my previous work on Google Docs, get's only as much coverage as the security researcher who did or did not disclose the findings.  Actually, looking back, Rios has sure found, or been involved with finding, a lot of issues on Google applications... his XS-Sniper blog looks like a trophy room of Google kills.

Back to the article, RSnake also provides his opinion on Google's skirting of the law:

I think it’s a shame Google found a legal get out of jail free card to absolve themselves from securing consumer medical records in the same way everyone else who handles this kind of data does. At least Google gives you advice on how to protect your personal data. By uhm… protecting it!

You are responsible for the security of your passwords and for any use of your account. You must immediately notify Google of any unauthorized use of your password or account by following the instructions at this link: http://www.google.com/support/accounts/bin/answer.py?answer=48601

Incidentally my favorite line from their form is:

Google Accounts: I think someone else is using my Google Account. Tip: In most cases, this problem can be resolved by resetting your password. Please do so before completing our form.

Resetting your password will recover your stolen personal data and make you and your family whole again, I guess.

Haha, well, that's not really funny actually.  Seriously, with all that Google has undertaken, it's become a one-stop shop for identity theft and privacy breach.  Fortunately, there hasn't been a wide-spread breach, yet... but I feel like this has more to do with researchers wanting to work with Google on their software and doing a great job at pointing out issues.  All it is going to take is one hacker who really doesn't like Google and one major vulnerability.

I'm currently aware of an attack by Billy Rios, which is not targeted at Google (it could actually hit just about any web application) that would likely allow the content of Google Health, Google Docs, GMail, and just about any application under Google's control if a user simply visits a Rios controlled page.  Good thing Billy is a good guy and is working with the appropriate vendors to fix this issue.  Sorry I can't give more details, I guess you'll have to come to our Black Hat Vegas talk to hear more (shameless plug for myself, Rios, John Heasman, and Rob Carter).

RSnake goes on to provide some thoughts around the heavily under-utilized Google security blog:

As a side note, a year has come and gone and silently the Google security bloghas had its first birthday. Has anyone noticed? I recall a year ago I said to a number of people I’d be surprised if anything interesting came out of it, and here we are a year later, with about 13 posts (one a month) and pretty much nothing of note about any actual issues/flaws has been discussed. There were two brief non-technical posts about “Lemon”, a year ago, to be fair. Maybe someone learned something from it, but it sure wasn’t me or any researchers I’ve talked to. Happy belated birthday, Google Security! Another year has come and gone, and the redirects still aren’t closed - how about a post about that?

You know, this is disappointing at best.  Personally I've reported a few issues to Google, as have my close colleagues Billy Rios and Rob Carter.  I know that we've always enjoyed working with the Google Security Team as they are very responsive and quickly fix the important issues.  I have, however, always found it concerning that Google does not publicly disclose flaws or more importantly steps that a user should take to make sure they are safe from the issue.

RSnake goes on to say:

As another noted security expert pointed out to me two days ago - Google represents the single greatest travesty of our generation. You gather the largest collection of the most brilliant minds you can possibly find, for the sole purpose of displaying ads next to search results. Remember, this is the same company who just a few short months ago was ranked the single worst in privacy of all the top Internet sites. Great - just who I want to be the keeper of my apparently non-HIPAA regulated medical data.

I've begun to wonder when innovation for the sake of innovation becomes to dangerous.  It feels like, and this is just a gut reaction here, law should have a strong and violent reaction to Google skirting around HIPPA concerns.  I give Google Health three weeks before Rios has found a serious flaw.

-Nate

[poll id=2]