Second Google+ bug hastens shutdown

News by Teri Robinson

After a second, newly discovered, bug affected 52.5 million Google+ users, Google has decided to shutter the social network earlier than originally planned.

After a second, newly discovered, bug affected 52.5 million Google+ users, Google has decided to shutter the social network earlier than originally planned.

"We’ve recently determined that some users were impacted by a software update introduced in November that contained a bug affecting a Google+ API," David Thacker, vice president of product management for G Suite, wrote in a Monday blog post. "With the discovery of this new bug, we have decided to expedite the shut-down of all Google+ APIs" within 90 days and will "accelerate the sunsetting of consumer Google+ from August 2019 to April 2019."

Thacker said the bug, which Google fixed within a week, was discovered as part of the company’s "standard and ongoing testing procedures" and assured users that the company’s systems hadn’t been compromised by a third party. "We have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way," he wrote.

The affected API allowed apps that requested permission to view information, such as names, occupation, email and age, a user had added to a Google+ profile to do so even if the information was not set to public but did not allow developers access to information typically used to commit identity fraud, such as social security numbers, financial data or passwords.

Google is alerting both consumer and enterprise users affected by the flaw.

"It’s been a bad couple months to be Google. The good news is that Google identified the vulnerabilities themselves, which isn’t always the case, and executives are accelerating actions to protect their users’ data from further exposure, now deciding to sunset Google+ four months earlier than originally planned," said Imperva CTO Terry Ray, who explained "a door was left open, but as far as the company can tell, no one went in and nothing was taken."

Google’s proactive public announcement "may be the beginning of a trend, time will tell," Ray said. "It seems companies have begun letting users know about exposures, whether in the hopes of some goodwill if something is found to be stolen and/or in the hopes that users will review their account statements and be extra vigilant when vetting e-mail and other communications against scammers."

He expects Google CEO Sundar Pichai "will likely have to answer some tough questions on the Hill tomorrow—especially since the first data exposure was originally not going to be disclosed to users,"  but gave the company credit for "taking this issue seriously" as well as "learning from previous mistakes."

Stephan Chenette, co-founder and CTO, AttackIQ, also praised Google for learning from past mistakes and disclosing the second bug "much sooner" in an attempt to be transparent. "Google has learned that while security incidents have short-term impacts on stock prices, the long-term price is heavily influenced by how the company handles public disclosure of the breach," he said.

Bugs in APIs "can provide a direct gateway to sensitive customer info without checking who is accessing the data," representing a threat that "is a growing concern for businesses because applications are critical to doing business across industries," Ray said. "As we’ve seen over the last year of breaches, APIs are particularly vulnerable to third-party application security coding errors. Web applications have been quickly growing more complex as users and companies demand more from their online, mobile and connected device experiences." 

Rami Essaid, co-founder, Distil Networks, maintained "APIs impact business and the world around us more than most people realise," and said that API security "flying under the radar and not being adequately addressed should be a red flag prompting organisations to examine their own practices."

He called for CIOs and CISOs "to get a handle on how responsibility is addressed within their organisations and decide whether the process is sufficiently robust."

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop