Second Google+ API bug exposes private data of 52.5 million

Google says it has expedited the platform closure by 4 months as a result

A newly discovered flaw in Google+ has exposed data belonging to 52.5 million users, even if their account settings were set to private, leading the company to shutter the social media platform earlier than expected.

Google revealed that a bug in a Google+ API, discovered in November, allowed developers to access user data, regardless of their privacy settings, and extract information for use in applications.

Google first discovered the bug in November and patched it within a week, the company revealed in an advisory post on Monday. As a result, Google+ APIs will shut down within the next 90 days, preventing any further app development using the platform, and the closure of the service will be brought forward from August to April 2019.

"We've recently determined that some users were impacted by a software update introduced in November that contained a bug affecting a Google+ API," said David Thacker, VP product management for G Suite. "We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced. No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way."

Although there is no evidence that the API was exploited, the bug could have allowed attackers to view information such as name, email address, occupation and age, even if the account settings were not public. Despite this, Google insists that no financial data, national identification numbers or passwords were at risk during this time.

It's a case of Dj vu for Google as a similar buggy API was found in October which allowed malicious apps to access the data of half a million users, again with no evidence that the data was actually accessed or exploited.

In the October announcement, Google first said it would be shutting down its social network for consumers, citing the August 2019 deadline. The decision sparked widespread outrage among customers as it emerged that the company knew about the buggy API as far back as March 2018, taking seven months to disclose its findings.

Google CEO Sundar Pichai will appear before Congress today to address various allegations made against the company, including political bias towards the Democrats, whether it will restart its search engine in China via project Dragonfly, and also the Google+ API bug from October.

Written testimony of Pichai was made public on Monday, around the time of the API announcement. It read that he would defend the integrity of his company's products ahead of a congressional hearing where he was expected to face tough questions including ones surrounding the October Google+ data breach.

"We work hard to ensure the integrity of our products, and we've put a number of checks and balances in place to ensure they continue to live up to our standards," Pichai's testimony read. "I lead this company without political bias and work to ensure that our products continue to operate that way. To do otherwise would go against our core principles and our business interests."

Google+ quickly slipped into irrelevance after its launch in 2011, seemingly in an attempt to rival Facebook which ultimately failed as Zuckerberg's venture, recipient of much criticism for the past few years, still retains market dominance.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

US, UK say Russia was behind SolarWinds hack
cyber attacks

US, UK say Russia was behind SolarWinds hack

16 Apr 2021
1Password targets enterprise customers with Secrets Automation
IT infrastructure

1Password targets enterprise customers with Secrets Automation

14 Apr 2021
PowerShell threats increased over 200% last year
cyber security

PowerShell threats increased over 200% last year

14 Apr 2021
Russia launched over a million cyber attacks in three months
hacking

Russia launched over a million cyber attacks in three months

13 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
University of Hertfordshire's entire IT system offline after cyber attack
cyber attacks

University of Hertfordshire's entire IT system offline after cyber attack

15 Apr 2021
NSA uncovers new "critical" flaws in Microsoft Exchange Server
servers

NSA uncovers new "critical" flaws in Microsoft Exchange Server

14 Apr 2021