Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Health app draws fire for privacy concerns

SecureThroughObscure (1282782) writes | more than 6 years ago

Security 0

SecureThroughObscure writes "Noted security researcher Robert "RSnake" Hansen posted an article covering numerous concerns with Google's new Google Health application which aims to integrate user's medical records online. RSnake mentions that Google has found a loophole allowing them to provide this service without having to follow HIPPA regulations, which, combined with Google's track record of having numerous flaws leading to private information disclosure draws serious concern.

Security researcher and blogger Nate McFeters of ZDNet's Zero-Day Security Blog also commented on the subject, mentioning several past vulnerabilities (here (Ownerhsip of content issue), here (Ownership of content issue), here (Google Docs theft), here (Google Docs theft), here (Google Docs theft), here (Cross-domain hole), here (Google XSS), and here (Google Picasa protocol handler issue leads to theft of user images)) that he and fellow researcher Billy Rios disclosed to Google, including the ability to steal GMail contact list information, cross-site scripting bugs, andthe ability to steal Google Docs.

McFeters says it's likely that similar unpatched bugs would allow an attacker to view medical records if a user was also using Google Health. McFeters also put forth a challenge in his article suggesting that Billy Rios will have hacked Google Health within three weeks.

Both McFeters and Hansen tend to agree that Google's vulnerability disclosure/notification is non-existent and really needs to be. Currently, Google does not report vulnerabilities it has fixed to its user base, for the obivous reason of trying to hide the fact that user's data could have been stolen. It's really quite onerous that Google finds it reasonable to create an application like Google Health when they are, as RSnake says in his blog post, the single worst in privacy of all the top Internet sites.

Feel like having your medical records exposed today?


Link to Original Source

cancel ×


Sorry! There are no comments related to the filter you selected.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?