Following the reports surfaced on the internet that the consumer version of Google’s social networking platform accidentally leaked the data of hundreds of thousands of Google+ users.
According to unknown sources citing internal Google documents “data of up to 500,00 users between 2015 and March 2018 due to an Application Program Interfaces (API) bug present in the system has been exposed ”
The API flaw allowed third-party app developers access to profile and contact information of users who signed into those apps via Google+, the report said. The breach also leaked the data of social connections even if they marked the information as private.
In total up to 496,951 users are reportedly affected by an estimated up to 438 apps could have gain access to this data.
The document reveals that Google said, “a software glitch in the social site gave outside developers potential access to private Google+ profile data between a major redesign in 2015 and March 2018, when internal investigators discovered and fixed the issue.”
And, that the affected data was “limited to static, optional Google+ Profile fields including name, email address, occupation, gender, and age.”
More interestingly the company opted to “not disclose the issue,” because of regulatory scrutiny and reputation damages. And, Google CEO Sundar Pichai was well briefed about the breach and the plan.
In this regard, a memo by Google’s Privacy and Data Protection division warned senior executives that disclosing the issue would likely cause [immediate regulatory action] and comparisons to Facebook’s Cambridge Analytica scandal.”
Google responding to the report said that they discovered and patched the bug in March and allowed third-party developers to use users’ personal data.”
Amid this, Google has announced the closing of the consumer version of Google+ social network citing “low usage and engagement,” adding that “90 percent of Google+ user sessions are less than five seconds.”
The closer of the consumer version of Google+ will happen in over a period of 10-month and completes by the end of August 2019.
Google will offer users’ additional information including how to download and migrate data in over the “next few months.”
The company also revealed that going forward they will only invest in Google+ for the enterprise and will apply Google+ consumer version features to enterprise version.
Here are some updates coming in the next few days:
- Refreshed design for Google+ enterprise on the web
- Moderation controls to curate employees posts ensuring quality content
- Enterprise dashboards to see post analytics and engagement metrics
- Posting experience with an ability to tag posts by a topic.
Google touts central controls such as “employee access management, OAuth access management, and service on/off controls” features of enterprise Google+.
At the beginning of this year, Google started a project called “Strobe,” that looked at “third-party developer access to Google account and Android device data” and “privacy controls, platforms where users were not engaging” with APIs due to privacy concerns and other areas where Google policies need be “tightened.”
So as part of Project Strobe, it more closely reviewed all the Google+ APIs and found a bug in one of the Google+ People APIs.
Google’s Probe security audit discovered following:
- A bug in one of the Google+ People APIs meant that apps also had access to Profile fields shared with user, but not marked as public.
- Data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender, and age.
- The data breach does not include any other data a user may have posted or connected to Google+ or any other service.
- The bug was discovered and immediately patched in March 2018.
- The profiles of up to 500,000 Google+ accounts were potentially affected.
- Google cannot confirm which users were specifically affected by this bug.
- There’s no evidence that any developer was aware of this bug or abusing the API.
- There’s no evidence of misuse of any user profile data.
Base on the Strobe finding, the company is launching more granular Google Account permissions that will show in separate dialog boxes instead of seeing all requested permissions in a single screen.
As an example, a developers’ requests to get access to both calendar entries and Drive documents, are deniable as users will now be able to “choose to share one but not the other,” Google explained.
A look at the new app requests access to data in consumer Google account:
In addition, these updates also affect other Google Apps, like consumer Gmail that include limiting of third-party apps’ ability to “request consumer Gmail data” via User Data Policy for consumer Gmail API update.
Apps that enhance email functionality are the one authorized to get access to this data, like email clients, email backup services and productivity services e.g., CRM and mail merge services.
Before accessing the data, these apps will have to abide by new rules on handling Gmail data. And will also be subject to heightened security assessments..
G Suite customers are not affected by these changes, because G Suite admins are always in control of users’ apps.
Lastly, Google will also be limiting third-party apps’ ability to receive “Call Log” and “SMS” permissions on Android devices. This will also stop from making contact interaction data available through Android Contacts API.
For example, going forward a user selected default app for making phone calls and text messages will be able to make requests to get access to call logs and SMS data.
Google Play will now limit apps allowed to ask for these permissions with some exceptions, such as “voicemail and backup apps.”
In the coming months, users can expect more controls and policies update across more of Google APIs, says Google.