Google+ has decided to shut its failing social network Google after a bug in one of its APIs was found to have exposed the personal details of half a million users.
The vulnerability in question was found and “immediately patched” during an audit of third-party developer access to the platform known as Project Strobe.
“Users can grant access to their Profile data, and the public Profile information of their friends, to Google apps, via the API. The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public,” explained VP of engineering, Ben Smith.
“This data is limited to static, optional Google Profile fields including name, email address, occupation, gender and age. It does not include any other data you may have posted or connected to Google+ or any other service, like Google posts, messages, Google account data, phone numbers or G Suite content.”
Rather controversially, the bug discovery happened in March of this year, with Google electing not to inform customers immediately.
“We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug,” said Smith. “However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.”
He added that none of the thresholds were met to go public with the news, taking in to account the type of data involved, its ability to accurately inform users, evidence of profile data being misused or developers abusing the API.
Although a business version of Google+ will remain for corporates to use internally, the consumer platform will be closed.
“The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+,” explained Smith.
“To give people a full opportunity to transition, we will implement this wind-down over a 10-month period, slated for completion by the end of next August. Over the coming months, we will provide consumers with additional information, including ways they can download and migrate their data.”
High-Tech Bridge CEO, Ilia Kolochenko, claimed the vulnerability's discovery is another example of why a bug bounty program is not a silver bullet for web security.
“Application security is a multi-layered approach process that requires continuous improvement and adaptation for new risks and threats,” he added. “Such vulnerabilities usually require a considerable amount of efforts to be detected, especially if it reappears on a system that has been already tested. Continuous and incremental security monitoring is vital to maintain modern web systems secure."