Google axes Google+ following discovery of huge data leak

Rene Millman Read more October 9, 2018

Google is shutting down its failed social network and authentication system Google+.

The closure isn’t because people are happier using Facebook and Twitter instead of Google’s service. Instead, it’s due to Google uncovering a major security vulnerability that exposed the information of up to 500,000 accounts.

Outlined in a blog post, Google explained the vulnerability was discovered after it conducted a major security review – dubbed Project Strobe. Strobe found a sizeable flaw in Google+’ APIs, meaning that malicious apps could extract data from profiles, such as name, email addresses, occupation, gender and age.

“It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content,” said Ben Smith, Google Fellow and vice president of engineering.

Smith said that “the Profiles of up to 500,000 Google+ accounts were potentially affected.” However, he added that the API’s log data is only kept for only two weeks and analysis showed that up to 438 applications may have used this API.

“We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused,” Smith said.

Google’s Privacy & Data Protection Office reviewed this issue to look at the type of data involved to see if the firm could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response, according to Smith. “None of these thresholds were met in this instance,” he said.

Smith said that despite Google’s engineering teams putting in a lot of effort, “[Google+] has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps. The consumer version of Google+ currently has low usage and engagement: 90% of Google+ user sessions are less than five seconds.”

Google+ will come to an end for consumers next August, but business users will still be able to use the service as an internal corporate social network.

The firm has also promised to institute new security rules, including limits around the types of use cases that are permitted to access consumer Gmail data.

“Only apps directly enhancing email functionality – such as email clients, email backup services and productivity services (e.g., CRM and mail merge services) — will be authorised to access this data,” Smith added.

Google will also remove access to contact interaction data from the Android Contacts API within the next few months. In addition, Google Account permissions dialog boxes will be split to show each requested permission, one at a time, within its own dialog box.