Google hid major Google+ security flaw that exposed users’ personal information

Illustration: Alex Castro / The Verge

Google exposed the personal information of hundreds of thousands of users of its Google+ social network, the company announced in a blog post this morning. The news, originally reported by The Wall Street Journal ahead of Google’s announcement, means that Google+ profile information like name, email address, occupation, gender, and age were exposed, even when that data was listed as private and not public. However, Google says that it has no evidence to suggest any third-party developers were aware of the bug or abused it. The bug, affecting an API that was accessed by hundreds of developers, appears to have been active between 2015 and 2018.

The company says it closed the bug in March 2018 shortly after learning of its existence. The WSJ reports that the company chose not to report it because of fear of “immediate regulatory interest” that would lump Google in with Facebook, according to one source’s description of the incident. At the time, Facebook had just publicly disclosed that data mining firm Cambridge Analytica had illegally purchased tens of millions of users’ profile information from a third-party app maker, who had gleaned that information from people who logged into a personality quiz and inadvertently granted the app access to their friends list.

Google says it discovered the bug as part of an effort called Project Strobe, which was launched to “review of third-party developer access to Google account and Android device data and of our philosophy around apps’ data access,” according to Ben Smith, the blog post author and a vice president of engineering. As a result of the bug, the company is shutting down the consumer-facing element of Google+, noting that 90 percent of sessions lasted less than five seconds. About 500,000 user profiles were affected by the bug, Smith notes.

In the post, Smith gives a rationale for not disclosing the bug earlier:

Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.

Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.

The Google+ shutdown will take place over the course of the next 10 months, concluding in August of 2019. It still plans to make Google+ available as an enterprise product for companies, which is a curious move for a product that had a massive, exploitable bug built into a core API for three years. “We’ve decided to focus on our enterprise efforts and will be launching new features purpose-built for businesses. We will share more information in the coming days,” Smith writes.

Update 10/8, 2:45PM ET: Added Google’s rationale for not disclosing the bug earlier.

Comments

As a result of the breach, the company is shutting down the consumer-facing element of Google+

I’m completely surprised that it took a user data breach for Google to decide "let’s just shutdown Google+ since no one’s using it".

don’t worry, they are still using it and all that information a bunch of rubes entered into it.

Also they’re kind of burying the lede here that seems like pretty big news.

And I thought Google would never do such a thing…

Doesn’t hiding a flaw violate the GDPR?

Yes, I believe it does if it were to happen now. However, the fix happened in March, which is before GDPR went into effect in May. I wonder if that exempts Google from legally having to disclose the issue to EU citizens.

Pretty much anything you do violates GDPR.

"About 500,000 user profiles were affected by the breach, Smith notes."

400K of which were fake and 90K of which hadn’t been updated in 2 years.

I haven’t changed name, email address, birthday and gender in the past two years, so the data is still relevant…

There is a small community of people who still use G+. My mom is one of them, actually. This is really going to piss her off.

Google would have had a better go of it if they hadn’t changed things every few months on G+. If Facebook changed that quickly they’d have failed too

There are a bunch of 3rd party data aggregators have been siphoning up data for years, I was surprised to find a lot of my data was from Google+

Google and Privacy does not compute….expect to be used abused and exploited when using any of their services.

True story.

As a member of the tech industry, I find this unethical and trust-breaking action alarming. I hope we take a hard look at our data management practices and do what’s in the best interest of the users. While G+ was not a social network used by a meaningful number of people, the act of hiding a data breach is a serious violation of trust nevertheless.

There was no confirmed data "breach". There was a bug, that left open a door to a potential breach. They didn’t say there was a bug.
There’s a difference.

What a bunch of hypocrites. They don’t wait to disclose vulnerabilities in other company’s software, but when they have a huge, gaping security hole they basically refuse to disclose it.

dont be silly its simply a ‘feature’ they overlooked… /s

What are you talking about? They disclose other bugs they find only if the other party doesn’t fix the bug in reasonable time.
They fixed this bug as soon as they discovered it. And they discovered it themselves.

Not at all. Google routinely discloses Microsoft bugs even if they know Microsoft is working on a fix. It is not Google’s right, nor is it their responsibility, to designate an arbitrary ‘reasonable amount of time’ if they know a company is working on a fix. That Google can’t even keep its own house in order, and doesn’t bother to disclose bugs that have actually resulted in user data breached.

https://www.theverge.com/2018/2/19/17027138/google-microsoft-edge-security-flaw-disclosure

doesn’t bother to disclose bugs that have actually resulted in user data breached.

I’m with you, but the Google says there was no breach.

They claim to not know about a breach. It looks like a part of an open API which many third parties used.

Hey, Alex Jones is a real person and totally not a lizard demon.

the personal information of hundreds of thousands of users of its Google+ social network

I’m confused by these numbers in the post. Is this a subset of people on G+? Is this everyone who actively logged in and posted something? Or is it anyone that used any other Google service that uses G+ as its back end?

I have no idea whether to be worried. I don’t actively use Google+, but I have a profile page, as I believe pretty much everyone does who uses any Google product. I know this breach couldn’t apply to all those who have ever created a G+ profile because that must be millions of people, but I can’t tell from this who it actually does apply to.

You should be worried if you care if some app that you logged in with Google+ potentially knows your address, gender or any other optional info that you added to your profile. Those are the things that apps had access to according to Google.

View All Comments
Back to top ↑