Google+ suffered a massive data breach that exposed the details of more than 500 000 users to third-party developers. The company Google is going to shut down its social media network for consumers by the end of August 2019.
A security vulnerability in one of the Google Plus’s People APIs has allowed to third-party developers to access usernames, email addresses, date of birth, profile photos, occupation and gender-related information of hundreds of thousands of users, the tech giant informs.
Google cannot confirm the exact number of the people, impacted by the detected vulnerability, since the servers of Google+ do not keep API logs older than two weeks. However, in its blog post, the company assured that no evidence has been found that any of the Google+ developers has been aware about this existing vulnerability. There is also no evidence that any of the 438 developers that could have had access, has misused the profile data.
“We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API,” Google said in its post.
The company has not revealed much about the technical aspect of the breach but it is possible to be something similar to the scandalous Facebook API flaw, which allowed access of private data from Facebook users to unauthorized developers. The vulnerability was fixed when Google discovered it in March this year, however, the tech giant chose not to disclose the detected breach to the public at that time.
In its recent blog post, Google also admitted that their social network Google+ failed to gain broad adoption and significant traction with consumers and announced that they are going to shut it down. According to the tech giant, there are significant challenges in creating and maintaining a successful Google+ product that meets consumers’ expectations. However, the Enterprise users will continue to use Google+ as a product.
“We’ve decided to focus on our enterprise efforts and will be launching new features purpose-built for businesses. We will share more information in the coming days,” Google said.
New Privacy Controls Over Third-Party App Permissions
In relation to its “Project Strobe”, Google has reviewed the third-party developers’ access to Google account and Android device data. The company has introduced some new privacy controls, which allow the users to have more detailed control over their permissions.
For instance, earlier, when a third-party app asked users for access to their Google account data, the “Allow” button approved all permissions at once, leaving a chance for malicious apps to gain powerful permissions by tricking the users. Now, with an update to its Account Permissions system, Google asks individually for each requested permission. The company has introduced also limited access to Gmail API and has kept it only for apps, which directly enhance the email functionality, this way limiting developers to access extremely sensitive users’ data.