After discovering another security issue potentially impacting 52.5 million users, Google today announced that the consumer version of Google+ will be shutting down four months sooner: in April 2019 instead of August 2019. Furthermore, Google will shut down all Google+ APIs within the next 90 days. “While we recognize there are implications for developers, we want to ensure the protection of our users,” said David Thacker, G suite vice president of product.
In October, Google announced its failed social network will be shutting down for consumers following the discovery of an exploit that could have allowed malicious developer to collect the data of hundreds of thousands of users. The company said it had uncovered the vulnerability in March 2018 as part of Project Strobe, a 100-person team charged with conducting a sweeping review of third-party developer tools that permit access to Google account and Android device data.
Now, Google has discovered that “some users” were impacted by a software update introduced in November that “contained a bug affecting a Google+ API.” The company says no third party compromised its systems, and it has no evidence that the app developers were aware of it or misused it in any way during the six days the bug was present.
Google adds that it has started notifying consumer users and enterprise customers that were impacted by the Google+ API bug — a list of affected users has been to system administrators, and Google promises to reach out again if any additional impacted users or issues are discovered. The company reiterated that it still plans to invest in Google+ for enterprise users.
Google+ API bug
Google wants to emphasize that the bug was introduced, detected, and fixed all within a period of one week. Specifically, the bug was introduced on November 7 and fixed on November 13 as part of the company’s “standard and ongoing testing procedures.”
The bug impacted approximately 52.5 million users in connection with the affected Google+ API. Apps that requested permission from the affected Google+ API to view information that a user had added to their Google+ profile were granted permission even when the profile was set to not-public. Additionally, apps with access to a user’s Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user, but that was not shared publicly.
Profile information that could have been revealed includes users’ name, gender, skills, birthday, email address, occupation, and age (full list). The bug did not give developers access to information such as financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft.
“We understand that our ability to build reliable products that protect your data drives user trust,” Thacker wrote today. “We have always taken this seriously, and we continue to invest in our privacy programs to refine internal privacy review processes, create powerful data controls, and engage with users, researchers, and policymakers to get their feedback and improve our programs. We will never stop our work to build privacy protections that work for everyone.”