Google+ Flaw Hits 52.5M Users, Service to Shut Down Early
A new Google+ bug that has probably hit the accounts of about 52.5 million users has made Google think of shutting down the service earlier than scheduled.
Google had announced in October its plans to shut down the consumer version of Google+; the decision, the company stated, was “…because of the significant challenges involved in maintaining a successful product that meets consumers’ expectations, as well as the platform’s low usage.”. Now, with the detection of a bug that accompanied a November software update, Google has decided to shut down Google+ earlier than scheduled, in April 2019. The bug was discovered and fixed in a week’s time, and the developers who had the unauthorized access for six days were reportedly not aware of it and hadn’t misused it either.
In a post dated Dec 10, 2018, David Thacker, VP, Product Management, G Suite clarifies, “We’ve recently determined that some users were impacted by a software update introduced in November that contained a bug affecting a Google+ API. We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced. No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way.”
The post further states, “With the discovery of this new bug, we have decided to expedite the shut-down of all Google+ APIs; this will occur within the next 90 days. In addition, we have also decided to accelerate the sunsetting of consumer Google+ from August 2019 to April 2019. While we recognize there are implications for developers, we want to ensure the protection of our users.”
So, as announced, consumer Google+ will shut down in August and all Google+ APIs will shut down within the next 90 days. The new bug, which surfaced in early November, was related to the Google+ People API. The bug could have led to the breach of profile information like names, gender, email address, date of birth, occupation, relationship status, even when such data was set to non-public. The bug would allow apps requesting permission to view profile information to access all these data. Moreover, the apps with such access could also have access to data that’s shared with the user by other Google+ users and which too wasn’t shared publicly. However, as per Google’s claim, the developers didn’t know about or misuse the bug, which was fixed within the period of one week, from November 7 to November 13.
Google clarifies, “The bug did not give developers access to information such as financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft.”
Google has started notifying consumer users and enterprise customers that were impacted by the issue and an investigation has also been initiated. It would also be investigated if there was any potential impact on other Google+ APIs.
“We understand that our ability to build reliable products that protect your data drives user trust. We have always taken this seriously, and we continue to invest in our privacy programs to refine internal privacy review processes, create powerful data controls, and engage with users, researchers, and policymakers to get their feedback and improve our programs. We will never stop our work to build privacy protections that work for everyone”, Google writes in its blog.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.