Press "Enter" to skip to content

Google+ bug gave developers access to non-public data from 52.5M users

Google+ was a bit of a disaster for the company when it was still alive, and now that it’s walking dead, it’s becoming even more of a stone around its neck. After disclosing a major security bug in October that affected just under half a million users, it announced that the service would shut down in August 2019. But things are getting worse. Today, the company announced a new privacy hole, one that it found last month, that left some data from about 52.5 million users up for grabs from apps that used the Google+ API.

Because every bug seems to move up the Google+ shutdown date, Google also today announced that the service will now close in April 2019. All Google+ APIs will shut down within the next 90 days.

The new bug, which was only live for about six days in early November, is related to the Google+ People API. It allowed apps that requested the permission to view profile information from users — like their names, email address, occupation, gender, birthday, relationship status and age — to access this information, even when that data was set to non-public.

It gets worse, though; apps that had access to this data also had access to profile data that had been shared with the user by other Google+ users but that wasn’t shared publicly.

Google says that it doesn’t have any evidence that developers ever realized that they had access to this data (the advantage of running a social network that few people still use, I guess) or that the data was misused in any way. It also stresses that these apps only had access to this data for six days. The bug was introduced, detected and fixed within the period of one week, from November 7 to 13 of this year.

The last time around, Google was heavily criticized for waiting far too long to disclose the bug. This time, people in the know inside the company tell me that they decided to react quickly after going through the internal disclosure process, in part because the company wants to show more transparency.

“We understand that our ability to build reliable products that protect your data drives user trust,” the company writes in a blog post today. “We have always taken this seriously, and we continue to invest in our privacy programs to refine internal privacy review processes, create powerful data controls, and engage with users, researchers, and policymakers to get their feedback and improve our programs. We will never stop our work to build privacy protections that work for everyone.”

source: TechCrunch