Google+ Bug Potentially Put 500,000 Accounts at Security Risk, Google Shutting Down Consumer Service

Google logo

Google+ has been around for years, but it looks like the End Times are nearing, as Google makes a huge announcement on Monday that has nothing to do with its upcoming flagship smartphone.

A recent report from The Wall Street Journal outlined a major bug discovered within Google+, which was discovered back in March of 2018. However, due to a variety of reasons, but mostly because it “would draw regulatory scrutiny and cause reputational damage”, Google decided not to disclose the potential security threat to its user base, according to the report.

From that report:

“A software glitch in the social site gave outside developers potential access to private Google+ profile data between 2015 and March 2018, when internal investigators discovered and fixed the issue, according to the documents and people briefed on the incident. A memo reviewed by the Journal prepared by Google’s legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.”

While Google wasn’t willing to disclose the issue back then, it appears the company is now ready to talk about it. The company has revealed in a public blog post that the bug was indeed discovered back in March, and that they immediately patched it. The bug meant that apps “had access to Profile fields that were shared with the user, but not marked as public”, but that the data was regulated to the optional data fields, including gender, age, and other options.

Google’s own log data for Google+ means that it cannot confirm with any real certainty just how many accounts were affected by the bug, but says that an analysis two weeks before the issue was patched earlier this year revealed that, by that estimation, upwards of 500,000 accounts were “potentially affected”:

“We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.”

Google finally adds that it found “no evidence” that a developer, any developer, was aware of the bug, and that the company “found no evidence that any Profile data was misused”.

Still, Google also admits that its social networking platform has not really taken off on the consumer side of things:

“The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+.”

Google will be winding things down starting now, but it will take some time. 10 months, in fact, according to the company. Google+ will see its final sunset by the end of August, 2019.

Our Take

Google has discovered that maintaining a social network and keeping its privacy and security at the top level that users expect in 2018 is difficult, and it’s safe to say it didn’t handle this particular situation all that great. The fact it didn’t disclose the bug at all when it happened, and is only doing it now as it announces Google+ is shutting down feels weird, to say the least.

Were you using Google+ at all?

[via WSJ; Google]