Google has found no evidence of misuse of user information courtesy of a security glitch in the social platform’s API
Google will “sunset” Google+ for consumers, according to the company’s blog post, in a move precipitated by a bug in the social network’s API that may have exposed the data of half a million users to outside developers.
The announcement was made shortly after The Wall Street Journal released a report (paywalled) about the security hole. The flaw was introduced with the platform’s redesign in 2015 and existed until it was discovered and patched in March of this year. Google’s security engineers came upon the problem during their “Project Strobe” security audit into all APIs associated with Google+.
The probe also found that up to 438 external applications, such as online games or quizzes, could have exploited the flaw. The bug, which resided in Google+ People API, may have provided external developers with access to the “static” profile information of Google+ users, such as name, email address, occupation, gender and age – even when the data were listed as private.
Other kinds of data – notably Google+ posts, messages, Google account data or phone numbers – were not in danger.
Importantly, Google found no evidence of misuse of user information or that any developer had been aware of or had exploited the vulnerability. Additionally, the company said that it cannot actually determine which users may have been at risk, as data that show which apps access users’ profiles are automatically deleted every two weeks.
As to why the company chose not to inform the public earlier, Google‘s Vice President of Engineering, Ben Smith, stated: “Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”
However, the company is now copping some flak for not disclosing the bug earlier, and CNBC has quoted a spokesman for the Irish Data Protection Commission (DPC) as saying that DPC, which is the company’s lead supervisory authority in the EU, will press Google for more information about the security glitch.
What Project Strobe has also done, according to Smith, is “highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations”.
These challenges and the platform’s failure to attract user interest have ultimately prompted the demise of Google+ for individual users, which will take place in piecemeal fashion over the next 10 months. Launched in 2011, the platform has largely been seen as an also-ran among the likes of Facebook or Twitter.
“This review crystallized what we’ve known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps,” according to Google, which said that 90 percent of Google+ users use the platform for less than five seconds.
Meanwhile, the service has survived the axe as an enterprise product, with Google finding that Google+ is better suited for businesses.
On a different note, Google also announced that is also introducing more granular Google Account permissions that will show in individual dialog boxes. “Going forward, consumers will get more fine-grained control over what account data they choose to share with each app,” said Google.
In a similar vein, the company’s Android app store, Google Play, will limit which apps are allowed to request permission to access a user’s phone (including call logs) and SMS data. Barring some exceptions, “[o]nly an app that you’ve selected as your default app for making calls or text messages will be able to make these requests”, said Google.