Crooks Bypassed Google’s Email Verification To Create Workspace Accounts, Access 3rd-Party Services

Brian Krebs writes via KrebsOnSecurity: Google says it recently fixed an authentication weakness that allowed crooks to circumvent the email verification required to create a Google Workspace account, and leverage that to impersonate a domain holder at third-party services that allow logins through Google’s “Sign in with Google” feature. […] Google Workspace offers a free trial that people can use to access services like Google Docs, but other services such as Gmail are only available to Workspace users who can validate control over the domain name associated with their email address. The weakness Google fixed allowed attackers to bypass this validation process. Google emphasized that none of the affected domains had previously been associated with Workspace accounts or services.

“The tactic here was to create a specifically-constructed request by a bad actor to circumvent email verification during the signup process,” [said Anu Yamunan, director of abuse and safety protections at Google Workspace]. “The vector here is they would use one email address to try to sign in, and a completely different email address to verify a token. Once they were email verified, in some cases we have seen them access third party services using Google single sign-on.” Yamunan said none of the potentially malicious workspace accounts were used to abuse Google services, but rather the attackers sought to impersonate the domain holder to other services online.

Read more of this story at Slashdot.

“Extraordinarily Disappointed” Users Reckon With the Google-fication of Fitbit

Longtime Slashdot reader schwit1 shares a report from Ars Technica, written by Scharon Harding: Since the acquisition closed in 2021, the Google-fication of Fitbit has largely meant a reduction in features and a focus from Google on getting people onto the Fitbit app. Long-time users have flocked to Fitbit — sometimes upon Fitbit’s request — to share hundreds of complaints about recent changes. However, Google has been mostly unresponsive to customer feedback. […] It’s worth mentioning that users disgruntled with Fitbit are more likely to complain online. However, it’s notable that Fitbit’s announcement has been met with 1,523 (as of this writing) mostly negative replies, with new responses still coming in. Another thread on Fitbit’s forum that requests to keep the web dashboard currently has 601 upvotes. You can find outraged users on Reddit, too.

The most common complaints are around losing previously available features. “Change is fine. Removing key features is not,” Community member Seymourh86 wrote in June. “Unless you want people to go to competitors…” Comments from this week show that users are not over the change. DebL555, for example, said today that they’re “extremely disappointed and frustrated I cannot access my Dashboard on my PC.” Yesterday, NessWeb dubbed the change “an incredibly bad decision,” adding: “It’s particularly awful for anyone with a visual disability or a finger dexterity issue. It’s still bad for everyone else because you just can’t see as much on a 3″ screen as you can see on a real computer … Bring back the web interface!!”

As has been the case every time there have been problems with Fitbit post-acquisition, theories that Google is making Fitbit worse to push people toward the Pixel Watch run rampant. Others on the Community forum were upset because they felt like Google was ignoring feedback from longtime Fitbit customers. In June, a user going by jessicabilasano wrote: “I just hope Fitbit does not end up like any other Google purchase that turns into a nightmare product/company. Google, instead of removing things that users love about Fitbit features, why not improve them? Listen to your customers/consumers.” However, a lack of response to public negative customer feedback has become commonplace for the Fitbit brand lately. “Users seek alternatives as Google is intent on app-centric focus,” captions schwit1. “Google ruins everything, it’s already ruined Google.”

Read more of this story at Slashdot.

Google’s Privacy Sandbox Accused of Misleading Chrome Browser Users

Richard Speed reports via The Register: Privacy campaigner noyb has filed a GDPR complaint regarding Google’s Privacy Sandbox, alleging that turning on a “Privacy Feature” in the Chrome browser resulted in unwanted tracking by the US megacorp. The Privacy Sandbox API was introduced in 2023 as part of Google’s grand plan to eliminate third-party tracking cookies. Rather than relying on those cookies, website developers can call the API to display ads matched to a user’s interests. In the announcement, Google’s VP of the Privacy Sandbox initiative called it “a significant step on the path towards a fundamentally more private web.”

However, according to noyb, the problem is that although Privacy Sandbox is advertised as an improvement over third-party tracking, that tracking doesn’t go away. Instead, it is done within the browser by Google itself. To comply with the rules, Google needs informed consent from users, which is where issues start. Noyb wrote today: “Google’s internal browser tracking was introduced to users via a pop-up that said ‘turn on ad privacy feature’ after opening the Chrome browser. In the European Union, users are given the choice to either ‘Turn it on’ or to say ‘No thanks,’ so to refuse consent.” Users would be forgiven for thinking that ‘turn on ad privacy feature’ would protect them from tracking. However, what it actually does is turn on first-party tracking.

Max Schrems, honorary chairman of noyb, claimed: “Google has simply lied to its users. People thought they were agreeing to a privacy feature, but were tricked into accepting Google’s first-party ad tracking. “Consent has to be informed, transparent, and fair to be legal. Google has done the exact opposite.” Noyb noted that Google had argued “choosing to click on ‘Turn it on’ would indeed be considered consent to tracking under Article 6(1)(a) of the GDPR.”

Read more of this story at Slashdot.

Huge Google Search Document Leak Reveals Inner Workings of Ranking Algorithm

Danny Goodwin reports via Search Engine Land: A trove of leaked Google documents has given us an unprecedented look inside Google Search and revealed some of the most important elements Google uses to rank content. Thousands of documents, which appear to come from Google’s internal Content API Warehouse, were released March 13 on Github by an automated bot called yoshi-code-bot. These documents were shared with Rand Fishkin, SparkToro co-founder, earlier this month.

What’s inside. Here’s what we know about the internal documents, thanks to Fishkin and [Michael King, iPullRank CEO]:

Current: The documentation indicates this information is accurate as of March.
Ranking features: 2,596 modules are represented in the API documentation with 14,014 attributes.
Weighting: The documents did not specify how any of the ranking features are weighted — just that they exist.
Twiddlers: These are re-ranking functions that “can adjust the information retrieval score of a document or change the ranking of a document,” according to King.
Demotions: Content can be demoted for a variety of reasons, such as: a link doesn’t match the target site; SERP signals indicate user dissatisfaction; Product reviews; Location; Exact match domains; and/or Porn.
Change history: Google apparently keeps a copy of every version of every page it has ever indexed. Meaning, Google can “remember” every change ever made to a page. However, Google only uses the last 20 changes of a URL when analyzing links.

Other interesting findings. According to Google’s internal documents:
Freshness matters — Google looks at dates in the byline (bylineDate), URL (syntacticDate) and on-page content (semanticDate).
To determine whether a document is or isn’t a core topic of the website, Google vectorizes pages and sites, then compares the page embeddings (siteRadius) to the site embeddings (siteFocusScore).
Google stores domain registration information (RegistrationInfo).
Page titles still matter. Google has a feature called titlematchScore that is believed to measure how well a page title matches a query.
Google measures the average weighted font size of terms in documents (avgTermWeight) and anchor text.
What does it all mean? According to King: “[Y]ou need to drive more successful clicks using a broader set of queries and earn more link diversity if you want to continue to rank. Conceptually, it makes sense because a very strong piece of content will do that. A focus on driving more qualified traffic to a better user experience will send signals to Google that your page deserves to rank.” […] Fishkin added: “If there was one universal piece of advice I had for marketers seeking to broadly improve their organic search rankings and traffic, it would be: ‘Build a notable, popular, well-recognized brand in your space, outside of Google search.'”

Read more of this story at Slashdot.

Google Threatens To Pause Google News Initiative Funding In US

Google has warned nonprofit newsrooms that a new California bill taxing Big Tech for digital ad transactions would jeopardize future investments in the U.S. news industry. “This is the second time this year Google has threatened to pull investment in news in response to a regulatory threat in California — but this time, hundreds of publishers outside of California would also feel the impact,” reports Axios. From the report: Google’s new outreach to smaller news outlets is happening in response to a different bill, introduced this year by State Sen. Steve Glazer, that would tax Big Tech companies like Google and Meta for “data extraction transactions,” or digital ad transactions. Tax revenue would fund tax credits meant to support the hiring of more journalists in California by eligible nonprofit local news organizations. With the link tax bill, Google only threatened to pull news investments in California. But the company is telling partners that the ad tax proposal will threaten consideration of new grants nationwide by the Google News Initiative, which funds hundreds of smaller news outlets, sources told Axios. Previous commitments, however, should be secure. A spokesperson for the Institute for Nonprofit News said the organization believes that grants previously committed through GNI as described here “are secure, so INN members should continue to benefit through this particular Fundamentals Labs program.”

Google’s concern, sources familiar with the company’s thinking told Axios, is that the new California ad tax bill could set a troubling wider precedent for other states. California’s Senate tax committee approved the “ad tax” bill May 8. Days after that, Google started making calls to nonprofits about potentially pausing future Google News Initiative funding, sources told Axios. Opponents argue (PDF) the ad tax burden would get passed down to consumers and businesses. They also say the measure would face legal challenges, similar to a digital ad tax introduced in Maryland last year.

Read more of this story at Slashdot.

How an ‘Unprecedented’ Google Cloud Event Wiped Out a Major Customer’s Account

Ars Technica looks at what happened after Google’s answer to Amazon’s cloud service “accidentally deleted a giant customer account for no reason…”

“[A]ccording to UniSuper’s incident log, downtime started May 2, and a full restoration of services didn’t happen until May 15.”

UniSuper, an Australian pension fund that manages $135 billion worth of funds and has 647,000 members, had its entire account wiped out at Google Cloud, including all its backups that were stored on the service… UniSuper’s website is now full of must-read admin nightmare fuel about how this all happened. First is a wild page posted on May 8 titled “A joint statement from UniSuper CEO Peter Chun, and Google Cloud CEO, Thomas Kurian….” Google Cloud is supposed to have safeguards that don’t allow account deletion, but none of them worked apparently, and the only option was a restore from a separate cloud provider (shoutout to the hero at UniSuper who chose a multi-cloud solution)… The many stakeholders in the service meant service restoration wasn’t just about restoring backups but also processing all the requests and payments that still needed to happen during the two weeks of downtime.

The second must-read document in this whole saga is the outage update page, which contains 12 statements as the cloud devs worked through this catastrophe. The first update is May 2 with the ominous statement, “You may be aware of a service disruption affecting UniSuper’s systems….” Seven days after the outage, on May 9, we saw the first signs of life again for UniSuper. Logins started working for “online UniSuper accounts” (I think that only means the website), but the outage page noted that “account balances shown may not reflect transactions which have not yet been processed due to the outage….” May 13 is the first mention of the mobile app beginning to work again. This update noted that balances still weren’t up to date and that “We are processing transactions as quickly as we can.” The last update, on May 15, states, “UniSuper can confirm that all member-facing services have been fully restored, with our retirement calculators now available again.”

The joint statement and the outage updates are still not a technical post-mortem of what happened, and it’s unclear if we’ll get one. Google PR confirmed in multiple places it signed off on the statement, but a great breakdown from software developer Daniel Compton points out that the statement is not just vague, it’s also full of terminology that doesn’t align with Google Cloud products. The imprecise language makes it seem like the statement was written entirely by UniSuper.
Thanks to long-time Slashdot reader swm for sharing the news.

Read more of this story at Slashdot.

Google Employees Question Execs Over ‘Decline in Morale’ After Blowout Earnings

“Google’s business is growing at its fastest rate in two years,” reports CNBC, “and a blowout earnings report in April sparked the biggest rally in Alphabet shares since 2015, pushing the company’s market cap past $2 trillion.

“But at an all-hands meeting last week with CEO Sundar Pichai and CFO Ruth Porat, employees were more focused on why that performance isn’t translating into higher pay, and how long the company’s cost-cutting measures are going to be in place.”

“We’ve noticed a significant decline in morale, increased distrust and a disconnect between leadership and the workforce,” a comment posted on an internal forum ahead of the meeting read. “How does leadership plan to address these concerns and regain the trust, morale and cohesion that have been foundational to our company’s success?”

Google is using artificial intelligence to summarize employee comments and questions for the forum.
Alphabet’s top leadership has been on the defensive for the past few years, as vocal staffers have railed about post-pandemic return-to-office mandates, the company’s cloud contracts with the military, fewer perks and an extended stretch of layoffs — totaling more than 12,000 last year — along with other cost cuts that began when the economy turned in 2022. Employees have also complained about a lack of trust and demands that they work on tighter deadlines with fewer resources and diminished opportunities for internal advancement.

The internal strife continues despite Alphabet’s better-than-expected first-quarter earnings report, in which the company also announced its first dividend as well as a $70 billion buyback. “Despite the company’s stellar performance and record earnings, many Googlers have not received meaningful compensation increases” a top-rated employee question read. “When will employee compensation fairly reflect the company’s success and is there a conscious decision to keep wages lower due to a cooling employment market?”

Read more of this story at Slashdot.

Google Will Exit Prominent San Francisco Waterfront Office Tower

Google announced on Tuesday that it will be exiting One Market Plaza, a prominent office complex in San Francisco that it had been occupying since 2018. The company’s lease for the 300,000-square-foot-office will expire next April. The San Francisco Chronicle reports: Many of Google’s employees are already working outside of the giant waterfront office, in light of the company’s flexible approach to office attendance. As one of the city’s largest office properties and a prominent feature on its skyline, the 1.6-million-square-foot One Market Plaza complex features two high-rise towers and a 11-story office annex building known as the Landmark.” Ryan Lamont, a spokesperson for Google, said the company will be moving out of One Market’s Spear Tower, but will continue to occupy the smaller Landmark building. He declined to comment on how long Google plans to remain in the latter.” As we’ve said before, we’re focused on investing in real estate efficiently to meet the current and future needs of our hybrid workforce,” Lamont said in an email to the Chronicle. “We remain committed to our long-term presence in San Francisco.”

Real estate market participants who spoke with the Chronicle indicated that Google plans to consolidate much of its operations from One Market to nearby 345 Spear St., where the company leases about 400,000 square feet. These individuals said that Google will likely renew its lease at that property once it expires next year.

Read more of this story at Slashdot.

Google Fit Dev APIs Shutdown Set, Fate of Android and Wear OS Apps Go Unannounced

Abner Li reports via 9to5Google: Since the launch of Health Connect in 2022, Google has been winding down the Google Fit developer APIs. Earlier this week, the company fully detailed how the “Google Fit APIs have been deprecated and will be supported until June 30, 2025.” Fitness and exercise apps that previously used Google Fit have until the June 2025 deadline to switch to Health Connect, with Google broadly referring to it as the “Android Health platform.”

Google’s migration guide for developers lists what they’re supposed to switch to on Android phones and Wear OS. However, there is no replacement for the Goals API that lets Google Fit users set “how many steps and heart points they want to aim for each day.” Google says it will “share more details about what’s next for Android Health” at I/O later this month.

As of this API shutdown announcement, Google has said nothing about the Google Fit apps on Android, Wear OS, and iOS. They still work to track activity and house your full archive. […] At this point, it’s clear that Google Fit is not the future. On the Pixel Watch, Fitbit is the default, while Samsung and other Wear OS manufacturers have their own health tracking solutions. If Google were to announce a deprecation of the Fit app, having it coincide with the June 2025 developer deadline makes sense.

Read more of this story at Slashdot.