Bug in Google+ API exposed personal data of 52.5 million users
14 December 2018
Google announced this week that it would expedite the shutting down of the consumer version of Google+ after the company discovered that a freshly-introduced bug in a Google+ API exposed personal information of up to 52.5 million users to app developers and third parties.
Earlier this year, Google initiated Project Strobe, an exercise that involved an in-depth review of all Google+ APIs to assess whether such APIs allowed developers to strictly access data that was authorised by consumers.
During its investigation, the company stumbled upon a bug-ridden Google+ People API that gave developers of as many as 438 applications access to customer data for which users never granted access and included sensitive data such as names, email addresses, occupations, gender, and age of up to 500,000 Google+ users.
Following the discovery of the massive exposure of customer data, Google announced its decision to shut down the consumer version of Google+ by August 2019, stating that there were “significant challenges” in creating and maintaining a successful Google+ that met consumers’ expectations and that the consumer version of Google+ had very little to show in terms of consumer engagement or usage, with 90 percent of Google+ user sessions lasting less than five seconds.
New bug in Google+ API exposed 52.5m users
Earlier this week, Google announced that it had discovered yet another bug that affected one of its Google+ APIs and had possibly exposed profile information of approximately 52.5 million users to unauthorised access. Information exposed by the bug included names, dates of birth, gender and email addresses and could be viewed by apps and third parties even when set to not-public.
Google revealed that the bug was introduced to its platform via a software update introduced in November and was fixed within a week of being discovered. Even though personal data of millions of users was exposed, there is no evidence that such data was accessed by any third party or misused by app developers.
However, the bug did not give developers access to information such as financial data, national identification numbers, passwords, or similar data that could be used by malicious entities for fraud or identity theft.
“With the discovery of this new bug, we have decided to expedite the shut-down of all Google+ APIs; this will occur within the next 90 days. In addition, we have also decided to accelerate the sunsetting of consumer Google+ from August 2019 to April 2019.
“We want to give users ample opportunity to transition off of consumer Google+, and over the coming months, we will continue to provide users with additional information, including ways they can safely and securely download and migrate their data,” said David Thacker, VP, Product Management, G Suite.