A fresh Google+ bug exposed the data of 52.5 million users last month, Google said today – and the company is now hastening to shut the little-loved social media platform earlier than initially planned.
The bug granted apps full access to profile information even when the user had set their permissions to private. It comes after the company in October disclosed that it had exposed the data of over 500,000 users.
The issue, announced today, also affected enterprise customers.
David Thacker,VP, Product Management, G Suite said: “A list of impacted [business] users in those domains is being sent to system administrators”.
“In addition, apps with access to a user’s Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly,” he noted.
In other words, it allowed apps to see Google+ user’s friends data too.
Google+ API Bug “Found, Fixed in a Week”
The bug resulted from a November software update and was discovered as “part of our standard and ongoing testing procedures” Google said, without stating precisely when and whether it had told European regulators.
The decision comes after the company in October revealed that a Google+ bug had exposed the personal profiles of up to 500,000 users, with the API at fault used by 438 applications. The company took six months to reveal that issue.
That bug, in the People API, exposed the name, date of birth, email address, relationship status, places lived, biography and more of up to half a million people. Google consequently opted to close the little-used social media platform.
New Google+ Bug: No Compromise
“No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way,” Thacker wrote today.
He added: “With the discovery of this new bug, we have decided to expedite the shut-down of all Google+ APIs; this will occur within the next 90 days.”
The company is also bringing forward its planned closure of consumer Google+ by five months, from August 2019 to April 2019.
Thacker said: “While we recognize there are implications for developers, we want to ensure the protection of our users.”
A Note for Enterprise Users…
“We want to reiterate that we will continue to invest in Google+ for enterprise. More details were announced in October”, Thacker said.
He was referring to tightened control over API access to Gmail user data, with Google in October updating its User Data Policy for the consumer Gmail API to limit the apps that can seek permission to access consumer Gmail data and saying it has “clarified that human review of email data must be strictly limited.”
“Only apps directly enhancing email functionality—such as email clients, email backup services and productivity services (e.g., CRM and mail merge services)—will be authorized to access this data. Moreover, these apps will need to agree to new rules on handling Gmail data and will be subject to security assessments,” Ben Smith, Google VP of Engineering wrote at the time.