Security Week 25: Privacy Data and Technical Difficulties

Let us not deny ourselves the pleasure of sewing two events that occurred last week to each other with white threads. First, in the most advanced Samsung Galaxy phones there were problems with sending messages. Secondly, the indexing of public documents with private information from the Google Documents service by the Yandex search engine was discussed far beyond the computer hangout.

These incidents have something in common: the absence of any novelty for an experienced reader of security news, and the not very specific reaction of the developers of devices and services. But the main thing is the lack of clear recommendations on how to protect your personal data, since this has happened. In general, there is every reason to talk again about the responsibility of users and service providers, the privacy and complexity of modern technologies.

What happened at Yandex?

Or is it Google? A detailed history of mass leakage of private documents is told in The Bell . In general, the fact that Google Documents documents are indexed is normal. Alas, quite often it is the ability to publish on the platform an indexed by search engines document used by fraudsters. According to popular requests for Google Docs, documents are created that then take the user to a third website - usually infected or trying to lure something from the user. Here is a screenshot for this blog:

You can run into such a thing for completely harmless search queries, and from the standpoint of the average user, everything at first looks legitimate: a link to the Google domain, a suitable description. But no. However, not intentionally public documents appeared in the history with Yandex, but really containing sensitive information for their creators. How they got into the issue can also be easily assumed. Few people bother distributing access to a Google document using e-mail addresses of specific people. Usually a link is created that is sent to all involved. Should such a document be indexed? Judging by the logic of access settings, it should not:

But further technical difficulties begin. Could Yandex index documents whose links are published publicly, for example, on public web pages? (yes) What were the settings for the documents issued? (not clear) Could there have been an erroneous indexation of documents, links to which were not published anywhere? (we will not get involved in conspiracy without evidence) Yandex’s comment comes down to the presence or absence of a robots.txt file on Google’s side. Comment Google qualifies the "leaked" documents as knowingly public.

And most likely, it was like this: the rip in privacy affected those who set the appropriate settings when creating the document. Should I blame the users? In the community of information security experts, there is a general consensus that blaming a user is a dead-end scenario . Users (company employees) need to be trained, but if something has flowed away as a result of “incorrect settings”, this is a hint of the need to update the interface.

What happened to Samsung?

Whatever happens at Samsung, users are definitely not to blame. But what exactly happened is also not known for certain. The first reports of the problem appeared about two weeks ago on Reddit and on the Samsung forum . On the Samsung forum, there was a rather reserved description of the bugs that appeared after installing updates in the Samsung Messages application. On Reddit, the user applied a wording that was quickly sold through the media: an application used in Samsung phones for sending SMS / MMS sends the contents of the photo gallery to random contacts.

There were more than two testimonies, but they didn’t help much to understand what exactly happened. It seems that the problem affected only the users of the T-Mobile operator: it all started after an update for the Rich Communication Services protocol arrived. Although another victim claims that he has an AT & T carrier phone. In one case, the last picture taken was sent to the contact with whom the correspondence had already been sent. In the other, random contact, the whole (!) Photo gallery flew away overnight. And the victim found out about it only from the recipient and from the operator’s billing, there was no information about sent messages in the telephone itself.

The media described the problem of who is in that much. In a note on Bleeping ComputerWith reference to the already mentioned Samsung forum, it was claimed that the manufacturer recognized the problem, which is not quite so. In the absence of an official description, users began to share homemade solutions, for example:


What do I allow the Samsung Messages application? Nothing!

Praise the advanced access settings in Android. True, everyone called the Samsung Messages application, although in reality it is simply called Messages, which is why those who did not want to share random photos could not find it. But there are not enough people who do not want to, but still, some photos are not very compatible with certain people in the contact list, be it a mother, a boss or a business partner. The clearest and most effective advice in the discussion on Reddit was, unfortunately, this one:

Only the most modern models, the Samsung Galaxy S9 and S9 Plus, Note 8, are subject to (again, imprecisely). Although IXBT claims that strange things are happening on the S8. Yes, disabling access to the Messages application leads to its complete inoperability, and you will have to install an alternative program (for example, a regular SMS client for Google).

And now what i can do?

If you take the history of Yandex and Google documents, then it’s simple: before you share a document, look at it carefully and think about what will happen when (not if, but when) it will leak. If you use simple and convenient tools such as Google Documents, Dropbox and others, think twice. It does not necessarily mean that you are specifically watched or targeted attack is plotted against you. Maybe this is how to accidentally go out - they put a tick in there, accidentally inserted a link not in the right place, something went wrong. If there is at least a minimal desire to preserve confidentiality, use e-mail, and better use encryption. Yes, it is not so convenient, but security also has its price.

But what to do if your phone sends photos without asking anyone? Or even supposedly capable of it? The advice is generally the same: look at your photo gallery. If there is anything sensitive or confidential there, do not store it on the phone. Or encrypt. This is not so difficult, although it requires some additional effort. But hacking or a tragic software error will result in leakage of only photographs of electricity meters.

Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.


The counter picture shown in this publication is not a photograph of a specific device that belongs to the authors of the text or Kaspersky Lab. The photo is for illustration purposes only and has not been published as a result of accidental or intentional information leakage.