Software Bug in Google+ Exposes Millions

Google

Google discovered a new critical vulnerability in Google+, a social media platform. The software bug potentially exposed private information of 52.5 million users. The bug was discovered during routine testing of the app and was fixed within a week

This is the second vulnerability to be discovered in Google+ in the last few months. The last data breach exposed private information of more than 500,000 Google+ users to third parties. Therefore, Google has decided to expedite the shutdown of Google+ months earlier than planned; from August 2019 to April 2019. All Google APIs will be shut down within the next 90 days. Google had previously announced the shutdown in October due to numerous maintenance challenges with Google+.

Google has stated the following:

  We want to give users ample opportunity to transition off of consumer Google+, and over the coming months, we will continue to provide users with additional information, including ways they can safely and securely download and migrate their data.

The vulnerability was discovered in Google+’s People APIs. The affected API was “People:get”. This API was created to allow developers to gain minimum information on user profiles. Unfortunately, after a new software update last month, People API allowed developers to look at private information on user profiles, even those set to not-public

The bug allowed apps to steal information on users, like name, email address, age, and occupation. Critical PII was not viewable by developers, such as passwords, financial data, national identification numbers. Further, any app that could view a user’s Google+ profile data, was also able to view profile data that had been shared to that user by another Google+ user.  It is also confirmed that Google systems were not compromised by a third party and there is no evidence that developers took advantage of the vulnerability.

If your organization has discovered a vulnerability within your organization contact LIFARS for help.