[+] Wayc0de's Blog[+]


Crowd-sourcing mischief on Google Maps leads customers astray

Google PlacesAs if we weren't already a drifting, confused mob of smartphone-jabbing zombies already, Google has presented a new way to baffle business customers.

As the New York Times recently reported and a bunch of “No, we are not closed” businesses subsequently protested, Google's Yellow Pages-ish Google Places turns out to be dismayingly easy to lie to.

The problem: Relying as it does on crowd sourcing that allows customers to report that a Google Maps/Google Places business is closed, Google has incorporated no verification to back up the "closed" status.

It's easy to tell Google Places that a business is closed

Thus, spammers can jump on a business out of malice or fun or for whatever other drooly reasons motivate the idly malicious, putting a "closed" sign on any shop the mob has decided to pick on that day.
This exchange on Google's Help forum for Google Places for Business is typical of Google’s initial response:

Exchange on Google's Help forum
Mystified business owner douknow1:
"After doing a search on my mobile phone for my business, I learned that Google has a tag below my business name that says Permenantly Closed in Red. Being that I cannot contact google, I was hoping someone could help me figure out how to remove it."
"Google does not report businesses as closed. This was submitted as a community edit. On your Google places page you will find a link 'edit this place' there you can find the option to report the business as open."
OK, it sounds like a shrug put into text. But to its credit, Google has jumped on this problem fast. The New York Times article went up Monday, and by 12:35 a.m. Tuesday Google had responded, saying they’re aware of the problem and are "actively working on a solution."
To wit, here's what Google is saying:
"Every year, millions of businesses open, close, move, change their hours, get a new website, or make other types of changes. Because we can’t be on the ground in every city and town, we enable our great community of users to let us know when something needs to be updated. The vast majority of edits people have made to business listings have improved the quality and accuracy of Google Maps for the benefit of all Maps users."
"For example, when there is a pending edit that indicates that a place might be closed, our system currently displays the label, 'Reported to be closed. Not true?'. Only when that pending edit is reviewed and approved does the label change to, 'This place is permanently closed. Not true?'"
Since the issue boiled up in the blogosphere two weeks ago, Google has been working on a fix that it expects will be out "in the coming days," the company said in the posting.

Closed signBecause security people earn their beer money by being proactively paranoid, here are some misery scenarios Naked Security's own Graham Cluley suggested to me:

1. "Could we see business rivals abusing the system? After all, we've seen plenty of hotels on TripAdvisor seemingly with bogus reviews - either good or bad!"

2. "Sounds like a fascinating new Web 2.0-ish-flavored attack which could target a company. Imagine if you were a controversial multinational with stores on every street corner — could organized protestors band together and trick Google Maps into thinking your individual stores were closed for business?"

Fortunately, it sounds as though Google is on top of it. Hopefully your local Starbucks won't go belly-up because multitudes of disappointed, latte-craving pedestrians have been misled by erroneous "closed" Google Mapification.

But, as Graham points out, at the very least, the issue points to the danger of "placing too much trust in an unpoliced online community—especially when malicious acts could resort in businesses losing valuable exposure and income."

It's not exactly about trust, of course. It's not as if businesses actively opt in to crowd-sourcing. It is about being attentive. This is just one more slice of your business's multifaceted online persona that you can't stop monitoring.

You can't sit back and assume that somebody's not screwing with you, and you can't assume that online behemoths like Google aren't (unwittingly) aiding and abetting the screwing.

Let's just hope they figure out how to unscrew, and to remain in the unscrew aiding and abetting camp, very soon.

nb : nakedsecurity.sophos

Tidak ada komentar:

Posting Komentar