Second Google+ API bug exposes private data of 52.5 million

Google says it has expedited the platform closure by 4 months as a result

A newly discovered flaw in Google+ has exposed data belonging to 52.5 million users, even if their account settings were set to private, leading the company to shutter the social media platform earlier than expected.

Google revealed that a bug in a Google+ API, discovered in November, allowed developers to access user data, regardless of their privacy settings, and extract information for use in applications.

Google first discovered the bug in November and patched it within a week, the company revealed in an advisory post on Monday. As a result, Google+ APIs will shut down within the next 90 days, preventing any further app development using the platform, and the closure of the service will be brought forward from August to April 2019.

"We've recently determined that some users were impacted by a software update introduced in November that contained a bug affecting a Google+ API," said David Thacker, VP product management for G Suite. "We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced. No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way."

Although there is no evidence that the API was exploited, the bug could have allowed attackers to view information such as name, email address, occupation and age, even if the account settings were not public. Despite this, Google insists that no financial data, national identification numbers or passwords were at risk during this time.

Advertisement - Article continues below
Advertisement - Article continues below

It's a case of Dj vu for Google as a similar buggy API was found in October which allowed malicious apps to access the data of half a million users, again with no evidence that the data was actually accessed or exploited.

In the October announcement, Google first said it would be shutting down its social network for consumers, citing the August 2019 deadline. The decision sparked widespread outrage among customers as it emerged that the company knew about the buggy API as far back as March 2018, taking seven months to disclose its findings.

Google CEO Sundar Pichai will appear before Congress today to address various allegations made against the company, including political bias towards the Democrats, whether it will restart its search engine in China via project Dragonfly, and also the Google+ API bug from October.

Written testimony of Pichai was made public on Monday, around the time of the API announcement. It read that he would defend the integrity of his company's products ahead of a congressional hearing where he was expected to face tough questions including ones surrounding the October Google+ data breach.

"We work hard to ensure the integrity of our products, and we've put a number of checks and balances in place to ensure they continue to live up to our standards," Pichai's testimony read. "I lead this company without political bias and work to ensure that our products continue to operate that way. To do otherwise would go against our core principles and our business interests."

Advertisement - Article continues below

Google+ quickly slipped into irrelevance after its launch in 2011, seemingly in an attempt to rival Facebook which ultimately failed as Zuckerberg's venture, recipient of much criticism for the past few years, still retains market dominance.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020