After a second, newly discovered, bug affected 52.5 million Google+ users, Google has decided to shutter the social network earlier than originally planned.
“We’ve recently determined that some users were impacted by a software update introduced in November that contained a bug affecting a Google+ API,” David Thacker, vice president of product management for G Suite, wrote in a Monday blog post. “With the discovery of this new bug, we have decided to expedite the shut-down of all Google+ APIs” within 90 days and will “accelerate the sunsetting of consumer Google+ from August 2019 to April 2019.”
Thacker said the bug, which Google fixed within a week, was discovered as part of the company’s “standard and ongoing testing procedures” and assured users that the company’s systems hadn’t been compromised by a third party. “We have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way,” he wrote.
The affected API allowed apps that requested permission to view information, such as names, occupation, email and age, a user had added to a Google+ profile to do so even if the information was not set to public but did not allow developers access to information typically used to commit identity fraud, such as social security numbers, financial data or passwords.
Google is alerting both consumer and enterprise users affected by the flaw.
“It’s been a bad couple months to be Google. The good news is that Google identified the vulnerabilities themselves, which isn’t always the case, and executives are accelerating actions to protect their users’ data from further exposure, now deciding to sunset Google+ four months earlier than originally planned,” said Imperva CTO Terry Ray, who explained “a door was left open, but as far as the company can tell, no one went in and nothing was taken.”
Google’s proactive public announcement “may be the beginning of a trend, time will tell,” Ray said. “It seems companies have begun letting users know about exposures, whether in the hopes of some goodwill if something is found to be stolen and/or in the hopes that users will review their account statements and be extra vigilant when vetting e-mail and other communications against scammers.”
He expects Google CEO Sundar Pichai “will likely have to answer some tough questions on the Hill tomorrow—especially since the first data exposure was originally not going to be disclosed to users,” but gave the company credit for “taking this issue seriously” as well as “learning from previous mistakes.”
Stephan Chenette, co-founder and CTO, AttackIQ, also praised Google for learning from past mistakes and disclosing the second bug “much sooner” in an attempt to be transparent. “Google has learned that while security incidents have short-term impacts on stock prices, the long-term price is heavily influenced by how the company handles public disclosure of the breach,” he said.
Bugs in APIs “can provide a direct gateway to sensitive customer info without checking who is accessing the data,” representing a threat that “is a growing concern for businesses because applications are critical to doing business across industries,” Ray said. “As we’ve seen over the last year of breaches, APIs are particularly vulnerable to third-party application security coding errors. Web applications have been quickly growing more complex as users and companies demand more from their online, mobile and connected device experiences.”
Rami Essaid, co-founder, Distil Networks, maintained “APIs impact business and the world around us more than most people realize,” and said that API security “flying under the radar and not being adequately addressed should be a red flag prompting organizations to examine their own practices.”
He called for CIOs and CISOs “to get a handle on how responsibility is addressed within their organizations and decide whether the process is sufficiently robust.”