A Bug in Google+ core API has exposed the information of up to 500,000 users to third-party developers. The information includes age, gender; email address, birth dates, profile photo, occupation and name of users. According to The Wall Street Journal, the bug was discovered earlier in the spring by Google, and not disclosed in fear that doing so would draw regulatory scrutiny and cause reputational damage to the company.
The company representative, Smith, gives a rational for not disclosing the information in the blog post published yesterday morning stating that:
Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.
Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.
In the blog post, the company justified its action stating that it determines the intensity of vulnerability based on the type of data involved, who to inform about the data, if the data has been misused, and if there’s any action a user can take in response. And, based on these criteria Google didn’t inform the users.
Google says that 438 apps were using the API that made the private data available to the developers, but no evidence yet found of customers data being misused by any third-party. The bug was not discovered by third-parties or being abused as such in the time span between 2015 and 2018. The bug was affecting an API which was accessed by hundred of third-part developers.
According to Google they have closed down the bug in March 2018 shortly after discovering its existence. According to Ben Smith, the blog post author and a vice president of engineering at Google:
“We discovered the bug as part of an effort called Project Strobe, which was launched to “review of third-party developer access to Google account and Android device data and of our philosophy around apps’ data access,”
As per the reports of WSJ journal the company chose not to disclose the bug in fear of “immediate regulatory interest” that would line up Google with Facebook. At that time Facebook was facing a legal trial for disclosing the information of tens of millions of users to a third-party data mining company called Cambridge Analytica.
The Google+ shutdown will take place over the period of the next ten months, wrapping by the end of August of 2019. The product was launched back in 2011 and didn’t gain any popularity as such. The consumer version currently has low usage with engagement that lasts in less than five seconds. Company still plans to keep Google+ live for Enterprises as a corporate product which is a curious move as the product had a major exploiting bug in its core API for three years.
Even after the bug is disclosed, people are still using Google+. Check out a complete comprehensive report on the said matter below:
Smith from Google wrote:
“We’ve decided to focus on our enterprise efforts and will be launching new features purpose-built for businesses. We will share more information in the coming days,”
This summer we have seen big glitches in the tech world. From the last year all giant tech companies including Facebook, Google, Twitter and others have testified before various houses and Senate committees about the data privacy practices, risk of election modeling, and the possibility of leaking the data.
With all that has been happening, it is the need of the hour that every internet user should use a security tool to protect their information online and anonymize their online existence.
This is the most we have gathered so far on this hot news of Google+ Bug. We will keep you updated with more details as soon as we received. Keep reading ReviewsDir blogs.