Vulnerability notified

16 July, 2009

One of the benefits of cloud computing is that it allows applications to be updated easily without the involvement of end-users. On the other hand, one of the biggest risks of cloud computing is that it allows applications to be updated easily without the involvement of end-users, exposing them to security risks or unwelcome changes in functionality.

A small, but telling, illustration of this is a recent incident with the Google Reader Notifier. This is a small add-on for the Firefox browser that helps people keep in touch with their RSS feeds on Google Reader by putting a small notifier on their status bar. It’s an ideal application of small-scale cloud computing: it means people can keep track of their feeds in an unobstrusive manner from any computer on which they have the notifier installed. I’ve been using it for some time. Google Reader Notifier screenshot

Today, however, I noticed a new and highly unwelcome addition to my toolbar: an ugly and intrusive link to “eBay: UK Site” (see right for a similar version, from here). I had no idea where this had come from, but a quick foray onto Google revealed that the culprit was the latest update to the Google Reader Notifier. Like many others, I have now uninstalled this add-on, thus solving the problem, and a cascade of one-star reviews is likely to reduce the number of people installing the add-on in future.

This is a small incident in itself, but it does highlight a couple of issues of more general application.

  1. As browsers become more complex – complex enough to become operating systems in their own right – the number of potential vulnerabilities increases accordingly. In this case, it was a simple matter to uninstall the add-on and remove the problem – but in the meantime, those people using the add-on have had their privacy and computer security compromised.
  2. It demonstrates the need for businesses to take care in how they use cloud computing. Many free-of-charge cloud applications are of high quality and usefulness, making them tempting to use for business purposes. However, they are weak on legal protection and transparency: businesses using them may have no comeback for outages or poor service, and are vulnerable to sudden changes in the software or even in the ethics of the people providing the cloud application. Businesses need to select their cloud computing providers with the same care as conventional IT suppliers, and with the same attention to the contractual terms.