Google was aware of a flaw that exposed over 500,000 of Google Plus users, but did not disclose it
9.10.2018 securityaffairs Social
This is a very bad news for Google that suffered a massive data breach that exposed the private data of over 500,000 of Google Plus users to third-party developers.
As a consequence of the data exposure, the company is going to shut down the social media network Google+.
The root cause of the data breach is a security vulnerability affecting one of Google+ People APIs that allowed third-party developers to access data for more than 500,000 users.
Exposed data include including usernames, email addresses, occupation, date of birth, profile photos, and gender-related information.
The worse aspect of the story is that the company did not disclose the flaw in the Google+ when it first discovered the issue in this spring because it feared regulatory scrutiny and reputational damage.
“Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal.” reported the Wall Street Journal.
“As part of its response to the incident, the Alphabet Inc. unit on Monday announced a sweeping set of data privacy measures that include permanently shutting down all consumer functionality of Google+.”
Google declared that its experts immediately addressed this vulnerability in March 2018 and that they have found no evidence that any developer has exploited the flaw to access users data. The flaw was present in the Google+ People APIs since 2015.
“We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.” reads a blog post published by Google.
“We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.”
The choice of not disclosing the vulnerability was probably influenced by the Cambridge Analytica scandal that was occurring in the same period.
“A memo reviewed by the Journal prepared by Google’s legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.” continues the WSJ.
Experts believe that the vulnerability in Google+ is similar to the one recently discovered in Facebook API.
Google will maintain Google+ only for Enterprise users starting from August 2019.
Google also provided information about the Project Strobe program that has seen a privacy internal task force conducting a companywide audit of the company’s APIs in recent months.
“In a blog post on Monday, Google said it plans to clamp down on the data it provides outside developers through APIs. The company will stop letting most outside developers gain access to SMS messaging data, call log data and some forms of contact data on Android phones, and Gmail will only permit a small number of developers to continue building add-ons for the email service, the company said.” concludes the WSJ.
“The coming changes are evidence of a larger rethinking of data privacy at Google, which has in the past placed relatively few restrictions on how external apps access users’ data, provided those users give permission. Restricting access to APIs will hurt some developers who have been helping Google build a universe of useful apps.”