Google announced a new feature to let developers using Google Sign-In automatically share information about security problems, like account hacks, to make it more difficult for incidents to spread across services. A new cross account protection (CAP) protocol is designed to send and receive security signals about user accounts, so that a breach on one service is less likely to allow an attacker to daisy chain their way into that person’s account on another.

It’s relatively common for hackers to infiltrate one account and use it to leverage their way into another target. (For example, several years ago when hackers wanted to take over my Twitter account, they did so by first gaining access to my Amazon account, which they used to access my email, triggering a series of attacks.) This makes email and cell phone accounts more likely to become central points of failure, because they are often used as logins. Or, as Google’s senior product manager for developer identity tools, Adam Dawes, put it, “all your eggs are in the basket of your mail provider.”

Currently, when an identity provider, like an email or cell service, detects a problem, there’s not much it can do to alert all the other services someone may have used that provider as a log in. For example, let’s say you sign into Evernote with a Gmail address. Someone who gained access to your Google account could then also use it to log in to Evernote by opting to use Google Sign In. And even if Google caught and kicked the attacker out of its own service, that person could remain logged into Evernote. Cross account protection is meant to remedy that vulnerability by effectively linking account security using the Google Sign In authentication service.

CAP lets different services send each other major security notifications about a common user — such as when an account has been hijacked or disabled, when it has logged a user out of all sessions, when it forces a password change, and when it detects that an account is actually a bot. That then gives developers the option of taking action on the affected account.

It does mean that for now someone needs to be logged in via Google Sign-In for the new feature to work — a Gmail address alone isn’t enough. (However, other identity providers will also be able to implement the protocol.)

“People have data stored in lots of different places, but it’s becoming increasingly difficult for them to keep it all locked down and protected,” Mark Risher, a director of product management who runs Google’s identity team, told BuzzFeed News. “Effectively what we’re trying to accomplish is to make the internet safer.”

Originally published at Buzzfeed

Do NOT follow this link or you will be banned from the site!
error: Content is protected !!