Google has disclosed the second security hole in its Google+ social network in three months. This one exposed private information from 100 times as many users as the first, and has prompted the company to hasten the service’s demise.
The bug stemmed from the Google+
People: get application programming interface, which enables developers to retrieve someone’s Google profile. It returns information including their name, profile URL, photo, birthday, gender, relationship status and a short biography. Other items revealed include information about the organization that they are a member of and the places that they have lived. There’s a full list in the description of the API.
Developers were able to access this information even if it was set to private, the company revealed in a blog post. The flaw also gave them access to other private data that had been shared with the user by other Google+ members.
Google had already announced that it was going to shutter the service in August 2019 following a “root-and-branch review” of third-party developer access to Google account data that turned up the first bug.
That bug was very similar to this latest one. It also stemmed from a vulnerability in one of Google’s People APIs, and it also shared information that Google+ users had made private. Google fixed that bug, which affected 500,000 users, in March but didn’t reveal it until seven months later. The delay drew criticism for the company, which is eager to publish others’ software flaws under the strict disclosure rules in its Project Zero initiative.
Google moved faster this time. It introduced the new bug, which impacted approximately 52.5 million users, in a November software update, and it fixed it within a week, meaning that the disclosure period would have been at most five weeks or so.
The company was also quick to downplay the significance of the bug. It said:
The bug did not give developers access to information such as financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft.
No third party compromised our systems, and we have no evidence that the developers who inadvertently had this access for six days were aware of it or misused it in any way.
Nevertheless, the bug seems to have strengthened Google’s resolve to drive a stake through the heart of its social media network. The company has decided to kill it off more quickly. It will shut down all Google+ APIs in the next 90 days and move forward the sunsetting of the consumer Google+ service to April 2019.
If a service could slouch, Google+ would be doing so right now. It’s a humiliating end for a platform that never reached its full potential, faced with red-hot competition from Facebook.