SecureThroughObscure writes "Noted security researcher Robert "RSnake" Hansen posted an article covering numerous concerns with Google's new Google Health application which aims to integrate user's medical records online. RSnake mentions that Google has found a loophole allowing them to provide this service without having to follow HIPPA regulations, which, combined with Google's track record of having numerous flaws leading to private information disclosure draws serious concern.
Security researcher and blogger Nate McFeters of ZDNet's Zero-Day Security Blog also commented on the subject, mentioning several past vulnerabilities (here (Ownerhsip of content issue), here (Ownership of content issue), here (Google Docs theft), here (Google Docs theft), here (Google Docs theft), here (Cross-domain hole), here (Google XSS), and here (Google Picasa protocol handler issue leads to theft of user images)) that he and fellow researcher Billy Rios disclosed to Google, including the ability to steal GMail contact list information, cross-site scripting bugs, andthe ability to steal Google Docs.
McFeters says it's likely that similar unpatched bugs would allow an attacker to view medical records if a user was also using Google Health. McFeters also put forth a challenge in his article suggesting that Billy Rios will have hacked Google Health within three weeks.
Both McFeters and Hansen tend to agree that Google's vulnerability disclosure/notification is non-existent and really needs to be. Currently, Google does not report vulnerabilities it has fixed to its user base, for the obivous reason of trying to hide the fact that user's data could have been stolen. It's really quite onerous that Google finds it reasonable to create an application like Google Health when they are, as RSnake says in his blog post, the single worst in privacy of all the top Internet sites.
Feel like having your medical records exposed today?
Link to Original Source