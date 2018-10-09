Google+ to shut after 500 000 users exposed

The data of close to half a million Google+ users could be exposed; in response, Google will be shutting the service.

Reports indicate that a security bug has allowed third-party developers to access Google+ user profile data since 2015 until Google discovered and patched it in March.

Google didn’t tell users about the vulnerability, which only came to light yesterday when the company announced the results of an investigation into controls and policies.

Ben Smith, Google fellow and vice-president: engineering, writes on the company blog: “Many third-party apps, services and websites build on top of our various services to improve everyone’s phones, working life, and online experience. We strongly support this active ecosystem.

“But increasingly, its success depends on users knowing that their data is secure, and on developers having clear rules of the road.

“Over the years we’ve continually strengthened our controls and policies in response to regular internal reviews, user feedback and evolving expectations about data privacy and security.

“At the beginning of this year, we started an effort called Project Strobe – a root-and-branch review of third-party developer access to Google account and Android device data and of our philosophy around apps’ data access.

“This project looked at the operation of our privacy controls, platforms where users were not engaging with our APIs because of concerns around data privacy, areas where developers may have been granted overly broad access, and other areas in which our policies should be tightened.”

Among the findings from Project Strobe are significant challenges in creating and maintaining a successful Google+ product that meets consumers’ expectations.

In response, the organisation is shutting down Google+ for consumers.

“Our review showed that our Google+ APIs, and the associated controls for consumers, are challenging to develop and maintain,” Smith writes. “Underlining this, as part of our Project Strobe audit, we discovered a bug in one of the Google+ People APIs.”

Users can grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API. The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public.

Smith says the data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age. “It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.”

He says the bug was discovered and patched in March 2018. “We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.

“We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500 000 Google+ accounts were potentially affected.

“Our analysis showed that up to 438 applications may have used this API.”

The shut-down of Google+ will take place over a 10-month period, and will be completed by the end of next August. “Over the coming months, we will provide consumers with additional information, including ways they can download and migrate their data,” Smith says.

Project Strobe also found that people want fine-grained controls over the data they share with apps.

In response, Google is launching more granular Google Account permissions that will show in individual dialog boxes.