Google announced a new feature to let developers using Google Sign-In automatically share information about security problems, like account hacks, to make it more difficult for incidents to spread across services. A new cross-account protection (CAP) protocol is designed to send and receive security signals about user accounts, so that a breach on one service is less likely to allow an attacker to daisy-chain their way into that person's account on another.
It’s relatively common for hackers to infiltrate one account and use it to leverage their way into another target. (For example, several years ago when hackers wanted to take over my Twitter account, they did so by first gaining access to my Amazon account, which they used to access my email, triggering a series of attacks.) This makes email and cellphone accounts more likely to become central points of failure, because they are often used as log-ins. Or as Google’s senior product manager for developer identity tools, Adam Dawes, put it, “all your eggs are in the basket of your mail provider.”
Currently, when an identity provider, like an email or cell service, detects a problem, there’s not much it can do to alert all the other services someone may have used that provider as a log-in. For example, let’s say you sign into Evernote with a Gmail address. Someone who gained access to your Google account could then also use it to log in to Evernote by opting to use Google Sign-In. And even if Google caught and kicked the attacker out of its own service, that person could remain logged into Evernote. Cross-account protection is meant to remedy that vulnerability by effectively linking account security using the Google Sign-In authentication service.
CAP lets different services send one another major security notifications about a common user — such as when an account has been hijacked or disabled, when it has logged a user out of all sessions, when it forces a password change, and when it detects that an account is actually a bot. That then gives developers the option of taking action on the affected account.
It does mean that for now someone needs to be logged in via Google Sign-In for the new feature to work — a Gmail address alone isn't enough. (However, other identity providers will also be able to implement the protocol.)
“People have data stored in lots of different places, but it’s becoming increasingly difficult for them to keep it all locked down and protected,” Mark Risher, a director of product management who runs Google's identity team, told BuzzFeed News. “Effectively what we’re trying to accomplish is to make the internet safer.”