Google finds bug, deletes Google Plus

Google Inc.’s parent company, Alphabet Inc., disclosed on Oct. 8, 2018, that it deactivated the Google+ platform for consumers after detecting a software flaw that can potentially expose private data to software developers. Security analysts said a bug in the Google+ API made it possible for third-party app developers to access data for users and individuals in their Google+ networks. Some have criticized Google for failing to report the vulnerability as soon as it was discovered; keeping the matter private only delayed the inevitable public relations nightmare, they stated.

Pravin Kothari, CEO of CipherCloud observed that nondisclosure of security failures is trending among leading companies. “Google’s failure, if true, to not disclose to users the discovery of a bug that gave outside developers access to private data is a reoccurring theme,” he stated. “We saw recently that Uber was fined for failing to disclose the fact that they had a breach, and instead of disclosing, tried to sweep it under the rug.”

“[Google’s tagline] Don’t be Evil mutated into Don’t be Caught,” added Colin Bastable, CEO of Lucy Security. “Google’s understandable desire to hide their embarrassment from regulators and users is the reason why states and the feds impose disclosure requirements – the knock-on effects of security breaches are immense.”

Google: ‘No data was misused’

Alphabet was careful to contain the messaging about removing the Google+ website, emphasizing that the company was not aware that any data had been misused or accessed. In an Oct. 8, 2018, blog post titled “Project Strobe: Protecting your data, improving our third-party APIs, and sunsetting consumer Google+,” the company stated an internal review found a bug in the “Google+ People APIs,” that enabled third parties to access Profile fields that would normally be limited to the purview of individual users.

“We discovered and immediately patched this bug in March 2018,” wrote Ben Smith, Google fellow and vice president of engineering. “We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.”

Smith additionally noted that because Google+ was designed with privacy in mind, Google cannot verify which users may have been impacted by the software bug. While Smith found no evidence of foul play or misappropriated personal data, he speculated that as many as 500,000 Google+ accounts may have been affected.

Transparency, accountability

Disclosing security flaws and data breaches can be problematic for companies that rely on user data, Kothari noted. He recommended implementing enhanced government oversight and a unified national data privacy to improve transparency and accountability. These additional security measures will protect data in third-party cloud services, he said.

“Trust and the cloud do not go together until responsibility is taken for locking down and securing our own data,” Kothari stated. “Even if your cloud offers the ability to enforce data protection and threat protection, it is not their data that is compromised and potentially used against them, it is the consumers.” Bastable concurred, adding, “The risk of such a security issue is shared by all of the Google users' employers, banks, spouses, colleagues, etc. But I guess we can trust them when we are told there was no problem.”

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.