Google has admitted that a bug was present in the API for the consumer version of Google Plus (Google+) that let third-party developers’ access data of not just its users but also of their contacts and friends.
Reportedly, data of up to 500,000 users could have been exposed to external developers. The bug was present in the API for over two years, and was patched in March 2018. So far, Google claims that there is no evidence of misuse of the leaked data or exploitation of the vulnerability.
“We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused,” writes Google’s VP of engineering Ben Smith.
As a response to the ongoing privacy-related issues with Google Plus, the shares of its parent company Alphabet Inc., also dropped 1.5% at $1150.75.
According to Google, the issue is being reviewed, the type of data leaked is being analyzed and users are also being identified to be informed and what actions should they immediately take to mitigate any looming threat. The company states that it is probably a software glitch in the Google Plus commercial version that led to external developers gaining access to profile data of users.
See: Google admits third-party app developers read your Gmail emails
The data leak might have occurred when Google Plus was undergoing a major design shift between 2015 and March 2018, assumed Google. The bug was identified only recently by Google’s internal investigators and patched immediately.
Soon after the story was published, Google Plus consumer access was shut down until Google improves privacy protections for third-party apps. A blog post was also published by the company in which it was revealed that nearly 500,000 accounts are currently at risk of data exposure and around 438 different third-party apps might have gained access to private data of Google Plus users.
Smith defended that it was a sound decision to not disclose the data leak because “whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.”
See: Facebook hacked: Hackers steal access tokens of 50 million accounts
Google isn’t obliged by federal law to disclose data leaks, per say, however, there are state-level laws present, specifically in California where Google has its headquarters, that require companies to disclose data leaks if an individual’s name, medical information, ID card, driver’s license, and/or social security number is involved.
Google will be endorsing a series of reforms to its currently implemented privacy policies to allow users more control on the data amount they would want to share with third-party developers. This means, users will be able to enjoy more control over different aspects of Google accounts and third-party access to email, contacts, SMS, and phone logs will be much more limited from now on.