Published: Wed, October 10, 2018
Electronics | By Shannon Stone

Google + security bug disclosed, service to be shut down

Google + security bug disclosed, service to be shut down

The Google+ vulnerability was discovered at a time that nearly coincided with the notorious privacy leakage scandal of the world's largest social media network Facebook, which has been widely criticized for its failure to protect its users' private data.

The Wall Street Journal says it reviewed an internal memo circulated among Google's legal staff and senior executives that warned of "immediate regulatory interest" and public comparisons to Facebook's user information leak to Cambridge Analytica should the mistake become public.

CEO Sundar Pichai was reportedly informed of the decision to not tell users after it had already been made by an internal committee.

Project Strobe will also lead to Google account holders getting more fine-grained controls over the data they share with apps, which now have overly broad access to user information, Google said.

Allegedly, the glitch enabled outside developers to gain unauthorized access to the relevant for quite some time - from 2015 until Google's discovery in March of this year. The bug allowed for developers that had access to Google+'s API to access information of users that gave permission to the program.

According to the company, profile information like name, email address and age from some users was available to apps, even if users had not marked it public. The bug is said to have affected as many as 500,000 accounts, though the company says it found "no evidence" that any data was actually misused. The company, however, can not confirm which users were affected by the bug when it was active from 2015 to 2018.

"Smith said that despite Google's engineering teams putting in a lot of effort, "[Google+] has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps. Up to 496,951 users could have been affected, and up to 438 apps could have accessed the data. "We chose to sunset the consumer version of Google+", the company said in the post.

As for Google+, the search giant won't miss it that much because the site never got off the ground with end users.

Google says that like other tech companies, it has encouraged third-party developers to "build on top of our various services".

Google said it would continue to offer private Google+-powered networks for businesses now using the software.

Google has now decided that the incident shows Google+ APIs and associated controls are too challenging to develop and maintain, so it will shutter the social network over a ten-month period.

Google does not yet have a lead EU Supervisory authority, as the breach apparently happened before the EU's new privacy law, the General Data Protection Regulation (GDPR), was implemented.

The company also admitted the low engagement statistics of Google+.

Like this: