Second Google+ API bug exposes private data of 52.5 million

Google says it has expedited the platform closure by 4 months as a result

A newly discovered flaw in Google+ has exposed data belonging to 52.5 million users, even if their account settings were set to private, leading the company to shutter the social media platform earlier than expected.

Google revealed that a bug in a Google+ API, discovered in November, allowed developers to access user data, regardless of their privacy settings, and extract information for use in applications.

Google first discovered the bug in November and patched it within a week, the company revealed in an advisory post on Monday. As a result, Google+ APIs will shut down within the next 90 days, preventing any further app development using the platform, and the closure of the service will be brought forward from August to April 2019.

"We've recently determined that some users were impacted by a software update introduced in November that contained a bug affecting a Google+ API," said David Thacker, VP product management for G Suite. "We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced. No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way."

Although there is no evidence that the API was exploited, the bug could have allowed attackers to view information such as name, email address, occupation and age, even if the account settings were not public. Despite this, Google insists that no financial data, national identification numbers or passwords were at risk during this time.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

It's a case of Dj vu for Google as a similar buggy API was found in October which allowed malicious apps to access the data of half a million users, again with no evidence that the data was actually accessed or exploited.

In the October announcement, Google first said it would be shutting down its social network for consumers, citing the August 2019 deadline. The decision sparked widespread outrage among customers as it emerged that the company knew about the buggy API as far back as March 2018, taking seven months to disclose its findings.

Google CEO Sundar Pichai will appear before Congress today to address various allegations made against the company, including political bias towards the Democrats, whether it will restart its search engine in China via project Dragonfly, and also the Google+ API bug from October.

Written testimony of Pichai was made public on Monday, around the time of the API announcement. It read that he would defend the integrity of his company's products ahead of a congressional hearing where he was expected to face tough questions including ones surrounding the October Google+ data breach.

"We work hard to ensure the integrity of our products, and we've put a number of checks and balances in place to ensure they continue to live up to our standards," Pichai's testimony read. "I lead this company without political bias and work to ensure that our products continue to operate that way. To do otherwise would go against our core principles and our business interests."

Advertisement - Article continues below

Google+ quickly slipped into irrelevance after its launch in 2011, seemingly in an attempt to rival Facebook which ultimately failed as Zuckerberg's venture, recipient of much criticism for the past few years, still retains market dominance.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/data-insights/big-data/354311/google-reveals-uks-most-searched-for-terms-in-2019
big data

Google reveals UK’s most searched for terms in 2019

11 Dec 2019