Data Breach

Google was aware of a flaw that exposed over 500,000 of Google Plus users, but did not disclose it

This is a very bad news for Google that suffered a massive data breach that exposed the private data of over 500,000 of Google Plus users to third-party developers.

As a consequence of the data exposure, the company is going to shut down the social media network Google+.

The root cause of the data breach is a security vulnerability affecting one of Google+ People APIs that allowed third-party developers to access data for more than 500,000 users.

Exposed data include including usernames, email addresses, occupation, date of birth, profile photos, and gender-related information.

The worse aspect of the story is that the company did not disclose the flaw in the Google+ when it first discovered the issue in this spring because it feared regulatory scrutiny and reputational damage.

“Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal.” reported the Wall Street Journal.

“As part of its response to the incident, the Alphabet Inc. unit on Monday announced a sweeping set of data privacy measures that include permanently shutting down all consumer functionality of Google+.”

Google declared that its experts immediately addressed this vulnerability in March 2018 and that they have found no evidence that any developer has exploited the flaw to access users data. The flaw was present in the Google+ People APIs since 2015.

“We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.” reads a blog post published by Google.

“We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.”

The choice of not disclosing the vulnerability was probably influenced by the Cambridge Analytica scandal that was occurring in the same period.

“A memo reviewed by the Journal prepared by Google’s legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.” continues the WSJ.

Experts believe that the vulnerability in Google+ is similar to the one recently discovered in Facebook API.

Google will maintain Google+ only for Enterprise users starting from August 2019.

Google also provided information about the Project Strobe program that has seen a privacy internal task force conducting a companywide audit of the company’s APIs in recent months.

“In a blog post on Monday, Google said it plans to clamp down on the data it provides outside developers through APIs. The company will stop letting most outside developers gain access to SMS messaging data, call log data and some forms of contact data on Android phones, and Gmail will only permit a small number of developers to continue building add-ons for the email service, the company said.” concludes the WSJ.
“The coming changes are evidence of a larger rethinking of data privacy at Google, which has in the past placed relatively few restrictions on how external apps access users’ data, provided those users give permission. Restricting access to APIs will hurt some developers who have been helping Google build a universe of useful apps.”
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Google Plus flaw, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

An unpatched bug allows anyone to impersonate Microsoft corporate email accounts

A researcher discovered a flaw that allows attackers to impersonate Microsoft corporate email accounts and…

4 hours ago

Smishing Triad Is Targeting Pakistan To Defraud Banking Customers At Scale

Resecurity researchers warn of a new activity of Smishing Triad, which has expanded its operations…

5 hours ago

Alleged researchers stole $3 million from Kraken exchange

Alleged researchers have exploited a zero-day in Kraken crypto exchange to steal $3 million worth…

14 hours ago

Google Chrome 126 update addresses multiple high-severity flaws

Google released Chrome 126 update that addresses a high-severity vulnerability demonstrated at the TyphoonPWN 2024…

17 hours ago

Chip maker giant AMD investigates a data breach

AMD announced an investigation after a threat actor attempted to sell data allegedly stolen from…

24 hours ago

Cryptojacking campaign targets exposed Docker APIs

A malware campaign targets publicly exposed Docker API endpoints to deliver cryptocurrency miners and other…

1 day ago

This website uses cookies.