More on Google+ Shut Down -ThreatWire Cross (Patreon)

Google+ is a social network Google came out with back in 2011 but the adoption rate was low. Last week, the Wall Street Journal posted about a vulnerability on the website that would allow third-party developers access to a user's private data on Google+, using the Google+ People API, which would allow a user to grant profile data access to apps via the API. Unfortunately, this API option had a bug which let third parties see user profile fields that were marked as private. 

According to WSJ, the problem had originated in 2015 and Google knew about it since March of this year, but the company didn’t disclose it due to fear of regulatory backlash. The timing also coincided with Facebook’s Cambridge Analytica scandal.

Google had an audit of their security APIs as part of their Project Strobe effort, which surfaced the issue back in March, and of which CEO Sundar Pichai was aware of. They patched the bug and moved on.  On a related note, Pichai reportedly will testify before Congress in November to address the company’s business practices and to answer US Senators requests for information on the Google+ vulnerability. In total, about 438 developers had access to the private data of 500,000 users on Google+ including name, email address, gender, profile picture, job status, location and birth date. Google believes no developer ever accessed or used the data.

Due to the low usage and significant challenges to maintain a social network, including security, Google decided to sunset the consumer version of Google+ over the coming 10 month period with a final deadline of August 2019. The enterprise version will still be available.

With that said, their written update also explained more security updates. Google has updated how permissions work in apps on Android, by implementing a fine grained control over what data user’s share with apps. The new Google Account permissions will force third party apps to show each permission in it’s own dialog box instead of all lumped into one page, and will also create the ability to deny or allow each permission on a case by case basis. Google is also working on limiting the access apps have to Gmail, SMS, Contacts, and Phone permissions.

Google says they will work on many other controls and updated policies in the coming months across several APIs. These updates will be pushed to users of the Google Suite of products, including Android. 

For more coverage of security stories like this and to get access to exclusive extras, check out ThreatWire on Patreon at: https://www.patreon.com/ThreatWire.