[BreachExchange] Google is shutting down Google+ after it exposed user data and neglected to tell anyone

Destry Winant destry at riskbasedsecurity.com
Mon Oct 8 21:30:34 EDT 2018


Apparently Google+ users weren’t the only ones not paying attention to
the social network. According to a report in the Wall Street Journal,
Google discovered a “software glitch” earlier this year that allowed
third-party developers access to some 500,000 private profile data
since 2015, including “full names, email addresses, birth dates,
gender, profile photos, places lived, occupation and relationship

That’s a lot of exposed data. And to make matters worse, Google found
out about it in the spring and decided not to tell anyone, reports the
Wall Street Journal. The paper says the search giant said in a memo
that it kept the breach private to avoid public and regulatory
scrutiny. Google told the Journalthat it considered “whether we could
accurately identify the users to inform, whether there was any
evidence of misuse, and whether there were any actions a developer or
user could take in response, (and) none of these thresholds were met

But Google is doing something about it today. In a blog post about its
Project Strobe initiative, which is a “root-and-branch review of
third-party developer access to Google account and Android device
data,” Google announced that it will be shutting down Google+ for
consumers between now and August due to “significant challenges” to
maintaining a social network. The enterprise edition used by G Suite
clients will not be affected by the change.

In the post, Google admits that Google+ “has not achieved broad
consumer or developer adoption, and has seen limited user interaction
with apps.” Of note, it says that 90 percent of Google+ user sessions
are less than five seconds.

But the shutdown isn’t just the result of low daily active users. It’s
also due to the fact that Google had allowed developers access to both
public and private profile fields. While Google found no evidence that
developers misused this unintentional access and patched the bug in
March, opting to keep this data secret isn’t cool, no matter how
unpopular Google+ is.

In addition to shutting down the service, Google is also implementing
several additional security features for its services, including:

- More granular Google Account permissions;
- Limiting the types of apps that are permitted to access Gmail;
- Limiting apps’ ability to receive Call Log and SMS permissions on
Android devices; and
- No longer making contact interaction data available via the Android
Contacts API.

That’s all well and good, but Google will still have lots of questions
to answer, some of which may be addressed on the stage tomorrow during
its Made By Google event where the Pixel 3 is expected to debut.

Why this matters: Wait, Google+ is still a thing? All jokes aside,
Google+ still has millions of users, and any breach that affects
private information is a major one. And it raises the question: If
Google hid this breach from the public, how do we know there aren’t
others? Google’s business model is based on trust, and hiding a
potentially dangerous breach for six months is not the way to keep it.

More information about the BreachExchange mailing list