Google+ shut down after bug-ridden API leaked up to 500,000 profiles
9 October 2018
Google has decided to shut down its Google+ social media platform for consumers, stating that there are significant challenges in maintaining it in line with strict privacy requirements of consumers and also because the platform has not enjoyed expected adoption from consumers ever since it was launched.
While Google has decided to keep Google+ for Enterprises afloat, it has decided to sunset Google+ for consumers after a fact-finding exercise revealed the presence of a significant bud in one of its APIs that allowed developers unfiltered access to user data.
Bug in Google+ API allowed developers unfiltered access to user data
Earlier this year, Google initiated Project Strobe, an exercise that involved an in-depth review of all Google+ APIs to assess whether such APIs allowed developers to strictly access data that was authorised by consumers. During its investigation, the company stumbled upon a bug-ridden Google+ People API that gave developers access to customer data for which users never granted access and included profile fields such as names, email addresses, occupations, gender, and age.
Even though the said bug was patched by Google in March this year, the company said that it could have appeared as a result of the API’s interaction with a subsequent Google+ code change. Based on an analysis of two weeks’ worth log data generated by affected API, Google determined that profiles of up to 500,000 Google+ accounts were potentially affected and the said API was used by as many as 438 applications.
However, the company added that there was no evidence that any developer was aware of the bug, or abused the API, or any profile data being misused.
“Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.
“The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+,” wrote Ben Smith, Vice President of Engineering at Google in a blog post.
While Google’s admission that Google+ APIs were too complex to allow it to take accurate action following a breach played a part in the platform’s shutdown, another major reason behind Google’s decision is that the consumer version of Google+ had very little to show in terms of consumer engagement or usage, with 90 percent of Google+ user sessions lasting less than five seconds.
Google+ for consumers will not disappear into the wind instantly but will be slowly wound down over the next ten months so that existing users, who do use the platform, will be able to download and migrate their Google+ data to other platforms. To ensure that Google+ for Enterprises does not meet the same fate, Google said the platform will be integrated with common access rules and central controls to make it more privacy-oriented in the coming days.
“Going forward, consumers will get more fine-grained control over what account data they choose to share with each app. Instead of seeing all requested permissions in a single screen, apps will have to show you each requested permission, one at a time, within its own dialog box. For example, if a developer requests access to both calendar entries and Drive documents, you will be able to choose to share one but not the other,” Smith added.
Google did not disclose potential breach for 7 months
Brian Vecci, Technical Evangelist at Varonis, said that the fact that Google did not disclose a potential breach to the public in March is a huge red flag as a Gmail breach could be the most damaging breach imaginable for the most number of people the longer it goes undetected.
“Everyone has a Google account and between emails, calendars, documents and other files, lots of people keep a ton of really valuable data in their Google account — so unauthorised access could be really damaging. On top of that, when you get access to someone’s primary email—which for many people is Gmail, you’ve got the keys to their online life. Not only do you have their login, which is almost always their email, you have the ability to reset any password since password reset links are sent via email.
“Unlike many other types of accounts, Google serves for many users as the authentication for other apps like Facebook. Last week, Facebook said they had no evidence that linked apps were accessed. But if these linked apps were accessed due to a breach, it could expose all kinds of personal user data.
“If you’re using Google or Facebook to login to other apps, there is a whole web of information that could be exposed. Breaches like these are the reason why Google, Facebook and other big tech players need to be regulated – they are a gateway to other applications for business and personal use,” he added.
Ilia Kolochenko, CEO of High-Tech Bridge, also said that the disclosure timeline (Google took seven months to disclose the potential breach) is incomprehensibly long and will likely provoke a lot of questions from regulatory authorities and that Google’s inability to assess and quantify the users impacted does not exempt from disclosure.
“Although, a security vulnerability per se does not automatically trigger the disclosure duty, in this case, it seems that Google has some reasonable doubts that the flaw could have been exploited. Further clarification from Google and technical details of the incident would certainly be helpful to restore confidence and trust among its users currently abandoned in darkness,” he added.