Anatomy of hack on Google leads Plaxo to up API security

A malicious attack aimed at Google but routed through Plaxo highlights the growing importance of API security using the forthcoming OAuth 2.0 protocol, which protects the user's credential information.
Written by John Fontana, Contributor

Address book service Plaxo is moving to shore up its API security after being sucked in as a back-door, silent victim in an attack on Google.

Last week, a spammer armed with stolen credentials for a number of Google accounts routed their attack through Plaxo's servers by taking advantage of connections the two maintain and an aging Plaxo authentication mechanism called Address Book (AB) Widget, which enables Plaxo users to import Gmail contacts.

Copyright: Brian Campbell

Copyright: Brian Campbell

Given the avenue of the attack, it was hard for Google to detect the malicious traffic being proxied through Plaxo's IP address.

The two worked together to dissect the hack and Plaxo has since retired its AB Widget and will update its Plaxo-Google Sync in a few weeks to support OAuth 2.0 and take advantage of its secure authentication capabilities.

The moral of the story is that security should be of paramount concern for APIs as they become a preferred point of integration within the concepts of cloud computing.

To wit, over the past two years, companies such as Twitter, Facebook, Google, Netflix, eBay and NPR have each been processing billions of API calls per day.

OAuth 2.0 is a forthcoming Internet Engineering Task Force specification that uses tokens for authenticating API end-points, which eliminates the need to share credential information among providers.

"End-users won't know the technology they are using is OAuth," said Preston Smalley, general manager and head of product for Plaxo. "But over time users are becoming more and more sensitive to sharing their user names and passwords with anyone other than their account provider."

With Plaxo's old AB Widget, users had to provide their Google credentials to Plaxo, which had to store, protect and pass that data on the user's behalf.

"There were two issues with the old method," said Smalley. "Users should not have to give us their credentials. The other issue is the provider (in this case Google) has to trust that developers are doing the right things using that API on the end-user's behalf."

For example, once a service provider gets the user's credential the user must trust that the provider will not access any information beyond the data it needs.

Plaxo, which uses OAuth with three other third-party partners, will now upgrade its entire Google API connection portfolio to support OAuth.

Smalley said sites benefit from this architecture in other ways, especially the fact they can use their own tools to ferret out attacks.

"With OAuth all the authentication happens on their servers and so they can take advantage of all the security precautions they have in place," said Smalley.

In the Google attack, Google just saw users trying to access their accounts and could not see that those thousands of access requests were coming from a common source. That information is key to detecting malicious activity.

On the Plaxo side, the company was not seeing any sync failures because the attackers had the right Google credentials and no Plaxo credentials were ever compromised.

"Ninety-nine percent of our traffic over APIs was happening with OAuth, so this is a good step forward for our sync with Google," said Smalley.

Editorial standards