Google+ Shuts Down After Vulnerability Secret Exposed

News
By published

(Image credit: Google)

According to a WSJ report, Google’s social media service, Google+, exposed the private profile data of almost 500,000 users for the past three years; however, the company opted not to tell anyone about it, fearing that it would face both reputation damage as well as new regulations.

Undisclosed User Data Exposure

Google learned in March that a software vulnerability that has existed in its Google+ service since 2015 could have allowed malicious third-party app developers to access users’ private profile information.

The company discovered the issue right when the Facebook-Cambridge Analytica privacy scandal was still fresh on everyone’s minds. At the time, multiple governments were scrutinizing Facebook over its data practices, and, according to WSJ's report, this seems to be the reason why Google failed to disclose its security issue to the public.

A memo by Google’s legal and policy team to the company’s senior executives and obtained by WSJ said that disclosing the incident would trigger “immediate regulatory interest” and invite comparison to Facebook’s scandal. After an internal committee had already reached the decision not to disclose the privacy and security issue to the public, Google’s CEO, Sundar Pichai, was also notified.

Google told WSJ that it came to the conclusion not to disclose the issue based on several factors, including whether the company could accurately identify the impacted users, whether there was any evidence of misuse and whether there was any action the users could have taken. The company said that “none of those thresholds were met.” The internal memo from the legal and policy staff said that the company had no evidence of any attack exploiting this vulnerability, but there was also no way to know for sure.

The exposed private profile data included full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status.

According to WSJ’s report, the Google+ privacy issue was due to an API that allowed third-party developers to collect users’ friends data, even if that data was set to non-public. When a user granted a developer permission to their profile, any of the data related to that profile could be collected by the developer. This is very similar to how Cambridge Analytica was able to collect data on millions of users too. Although it’s not able to tell whether or not apps misused user data, Google said that up to 438 applications had access to unauthorized Google+ data.

Google+ Shuts Down

Considering that Google+ has been considered a bit of a ghost town for years already, it’s not too surprising to see it shut down. However, it’s still interesting to see the company is making this decision now, after the privacy issue became public. 

The company told WSJ that shutting down Google+ is part of a recent effort to limit third-party developers access to its users’ data, including Gmail add-on developers and Android app developers.

Google said that only Gmail add-on developers that pass security audits will be allowed to continue accessing users' Gmail accounts, while “most” third-party Android developers will no longer receive access to users’ SMS messages, call logs and some additional forms of contact data on Android devices. Previous reports have found that some third-party Gmail add-on developers were reading users’ emails, supposedly to improve their algorithms.

Google CEO to Testify In Congress

Google’s lawyers advised the company’s executives, including its CEO, to avoid public disclosure of this privacy issue because the company was “not legally required” to do so. Unlike in the EU, where data breach notices are mandatory within three days of the event due to laws such as the recently passed GDPR, the U.S. doesn’t yet have federal laws regulating data breach notices.

Google also feared that disclosing the Google+ privacy issue would mean that CEO Sundar Pichai would have to testify in Congress, just as Mark Zuckerberg did. In fact, some senators did call for Google’s CEO to appear in a data privacy hearing earlier this spring. Pichai has refused to testify multiple times since then, but he recently agreed to testify in the U.S. House in the coming weeks.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.

Nvidia RTX 5060 Ti 8GB loses up to 10% performance when using PCIe 4.0

27-inch 4K 160 Hz IPS gaming monitor is down to $289 at Amazon

Storage device boiled in salt water, then grilled in an oven as proof of durability — Cerabyte's glass storage media claimed to be ultra-rugged
See more latest
8 Comments Comment from the forums
  • shrapnel_indie
    Guess what, I hope the regulations come now. Plus, Google decided to let potential harm live, apparently never fixing it (that's what I get out of this article) Too late for what Google already has done, but needed anyway.
    Reply
  • 10tacle
    21387758 said:
    Guess what, I hope the regulations come now. Plus, Google decided to let potential harm live, apparently never fixing it (that's what I get out of this article) Too late for what Google already has done, but needed anyway.

    Not only that, but Google has been proven to be politically biased in their search engine results (as Facebook has been proven to be the same way in top story links). I'm among the furthest removed from wanting private companies regulated, but when you have companies like Google and Facebook dictating information (AND spying on account owners then censoring them based on political persuasion), then that's no better than what Nazi Germany did prior to and during WWII on German Citizens. Or Stalin and Russia, or Hirohito and Japan, or Kim Il Sung and North Korea, and... .

    AT&T got broken up for a reason in the 1980s as politics got involved with power (and market) projection. It's time for some three decades later to come through the same fruition of the same level of abuse.
    Reply
  • alextheblue
    21387758 said:
    Guess what, I hope the regulations come now. Plus, Google decided to let potential harm live, apparently never fixing it (that's what I get out of this article) Too late for what Google already has done, but needed anyway.
    These threats still live on in Android apps and Chrome extensions. Good job, Google, this really reaffirms where your priorities lie. Datamining and political agendas > user rights and transparency.
    Reply
  • kenjitamura
    21388792 said:
    Not only that, but Google has been proven to be politically biased in their search engine results (as Facebook has been proven to be the same way in top story links).

    Nothing has been proven. Googles news search results primarily returns results of large established news organizations that have more abundant journalists, produce more original content and on scene articles, and are quick to react to events as they unfold. This is known as the main stream media and to date practically the only far right main stream news site is Fox News which gets plenty of hits on political search results.

    To optimize the search engines news results to display a larger portion of small newly budding news sites, who primarily circulate each others articles, are slow to react, and have less staff like the ones seen in the far rights news circles would be what's considered tweaking the algorithm to show bias.
    Reply
  • shrapnel_indie
    21389256 said:
    21388792 said:
    Not only that, but Google has been proven to be politically biased in their search engine results (as Facebook has been proven to be the same way in top story links).

    Nothing has been proven. Googles news search results primarily returns results of large established news organizations that have more abundant journalists, produce more original content and on scene articles, and are quick to react to events as they unfold. This is known as the main stream media and to date practically the only far right main stream news site is Fox News which gets plenty of hits on political search results.

    To optimize the search engines news results to display a larger portion of small newly budding news sites, who primarily circulate each others articles, are slow to react, and have less staff like the ones seen in the far rights news circles would be what's considered tweaking the algorithm to show bias.

    Except that article sharing, or at least primary source sharing is still strong in the MSM... i.e. a story done by Associated Press will become a dozen MSM versions or more. Fox, while reporting more right wing angles, still has left leanings under the surface. It's easier to hide smaller news services who won't bury a story (yes, in cases their right wing angle is just as severe as the left wing angle) due to it's of the wrong persuasion or angle. I'd rather have a more neutral position myself, where a story covers both sides more fairly, but in today's society that is more of a pipe dream than reality
    Reply
  • shrapnel_indie
    21388792 said:
    21387758 said:
    Guess what, I hope the regulations come now. Plus, Google decided to let potential harm live, apparently never fixing it (that's what I get out of this article) Too late for what Google already has done, but needed anyway.

    Not only that, but Google has been proven to be politically biased in their search engine results (as Facebook has been proven to be the same way in top story links). I'm among the furthest removed from wanting private companies regulated, but when you have companies like Google and Facebook dictating information (AND spying on account owners then censoring them based on political persuasion), then that's no better than what Nazi Germany did prior to and during WWII on German Citizens. Or Stalin and Russia, or Hirohito and Japan, or Kim Il Sung and North Korea, and... .

    AT&T got broken up for a reason in the 1980s as politics got involved with power (and market) projection. It's time for some three decades later to come through the same fruition of the same level of abuse.

    I'd rather there be no regulation myself... but this is more a case of regulation for the sake of personal privacy than a case of content/result control. All those regimes you mentioned were the opposite... wanted to know your business, to keep you in line with their way and control information so you don't know how extreme and cruel they actually were (or are.)
    Reply
  • hoofhearted
    CA residents (or at some lawyers) will make some money off SB1386
    Reply
  • jaexyr
    What's Google+?
    Reply
Most Popular
Zotac RTX 5060 Series
Nvidia RTX 5060 Ti 8GB loses up to 10% performance when using PCIe 4.0
Cerabyte glass and ceramic storage media
Storage device boiled in salt water, then grilled in an oven as proof of durability — Cerabyte's glass storage media claimed to be ultra-rugged
Intel Xeon CPU
Dynatron coolers support up to 660W for Intel Diamond Rapids and AMD Venice CPUs
Minecraft
Minecraft runs on 8MB of VRAM using a 20-year-old GPU
Intel Arc Battlemage B580 and B570
Intel Arc Xe3 Celestial GPU enters pre-validation stage
Nvidia CEO Jensen Huang
Nvidia CEO Jensen Huang scores his first base salary increase since 2015
Kuwait City skyline at night
Energy use in a Kuwaiti city fell by over 50% after authorities cracked down on crypto mining
Arm
Apple expects to source over 19 billion chips from U.S. factories this year
The Asus TUF Gaming T500 gaming desktop
Gaming desktop with a mobile CPU — Asus tries a different approach with the TUF Gaming T500
Hacker
Microsoft has no plans to fix Windows RDP bug that lets you log in with old passwords