Plaxo online address book service warns of security breach
Online address book service Plaxo has confirmed that an unknown malicious third-party gained access to the company's API connection to Google's address book and calendar. As a result of the security breach, Google took precautionary measures and temporarily disabled the connection, and sent Google account holders a "Suspicious sign in prevented" email advising them that a hijacker was trying to access their account.
According to Preston Smalley, General Manager and Senior Director of Product at Plaxo.com, the malicious party used Plaxo's server connection to Google to access accounts using a set of credentials; Smalley specifically notes that these credentials were acquired externally by the third-party and were not obtained from the company or its servers. Apparently, the attacker used Plaxo's AB Widget function, which the company had previously "slated for retirement" on 31 October 2011, to access accounts behind its proxy. It's not clear why the function had not already been taken completely offline, but Smalley says that the company is "in full communication with Google's security team and has taken steps to prevent future attacks including the full shutdown of the AB Widget".
Plaxo is currently in the process of upgrading its API connections, including the sync service, to use the OAuth open standard for authentication. However, until this is competed, the Google Sync service will remain disabled. Users who received the email notification from Google are advised to change their Google password "as a safety measure".
(Source: h-online.com)
