Google has decided to shut down their own social network, Google+ after the company suffered a heavy data breach which exposed the personal information of hundreds of thousands of Google Plus users to third-party developers.
According to Google, a bug was found in one of Google+’s APIs which permitted the third-party developers to personal data of more than 500,000 users.
The company is not sure about the actual number of users who are affected by this vulnerability as Google+ servers do not keep API logs for more than two weeks.
According to a blog post by Google, they say that they have conducted a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Based on their analysis around 438 applications may have used this API. Google has guaranteed their users that the company have not found any evidence that any developer was aware of this bug, or that the profile data was misused by any of the 438 developers that could have had access.
This vulnerability was present since 2015 and Google came to know about it in March 2018 and immediately fixed it. But they haven’t disclosed any details regarding the breach to the public.
The technical details of the flaw have not been however revealed but it seems very similar to the recent Facebook API flaw which permitted unauthorized developers to access private data from Facebook users.
Along with admitting the security breach, Google announced that the company has planned to shut down its social media network, acknowledging that Google+ failed to gain broad adoption or significant traction with consumers.
Google+ will be shut down for consumers by the end of August 2019 but it will still remain as a product for Enterprise users.
New Privacy Controls Over Third-Party App Permissions Introduced
In order to prevent the leakage of sensitive data to third-party app developers, Google has made several important changes. Google engineers reviewed third-party developer access to Google account and Android device data as part of their “Project Strobe,” and has introduced some new privacy controls.
When a third-party app provokes a user for access to their Google account data, clicking “Allow” button approves all requested permissions at once which gives no chance for any malicious apps to trick users into giving away powerful permissions.
Google has now updated its Account Permissions system that asks for each requested permission individually rather than all at once. This gives the users more control over the type of account data they choose to share with each app.
APIs can allow developers to access users’ highly sensitive data like a Gmail account. So, Google has limited access to Gmail API only for apps that directly enhance email functionality such as email clients, email backup services and productivity services.
To prevent the leakage of sensitive call and text log data, Google has included a new rule under its Google Play Developer Policy which limits Call Log and SMS permission usage to your “default” phone or SMS apps only.