Second Google+ API bug exposes private data of 52.5 million

A newly discovered flaw in Google+ has exposed data belonging to 52.5 million users, even if their account settings were set to private, leading the company to shutter the social media platform earlier than expected.

Google revealed that a bug in a Google+ API, discovered in November, allowed developers to access user data, regardless of their privacy settings, and extract information for use in applications.

Google first discovered the bug in November and patched it within a week, the company revealed in an advisory post on Monday. As a result, Google+ APIs will shut down within the next 90 days, preventing any further app development using the platform, and the closure of the service will be brought forward from August to April 2019.

"We've recently determined that some users were impacted by a software update introduced in November that contained a bug affecting a Google+ API," said David Thacker, VP product management for G Suite. "We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced. No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way."

Although there is no evidence that the API was exploited, the bug could have allowed attackers to view information such as name, email address, occupation and age, even if the account settings were not public. Despite this, Google insists that no financial data, national identification numbers or passwords were at risk during this time.

It's a case of Dj vu for Google as a similar buggy API was found in October which allowed malicious apps to access the data of half a million users, again with no evidence that the data was actually accessed or exploited.

In the October announcement, Google first said it would be shutting down its social network for consumers, citing the August 2019 deadline. The decision sparked widespread outrage among customers as it emerged that the company knew about the buggy API as far back as March 2018, taking seven months to disclose its findings.

Google CEO Sundar Pichai will appear before Congress today to address various allegations made against the company, including political bias towards the Democrats, whether it will restart its search engine in China via project Dragonfly, and also the Google+ API bug from October.

Written testimony of Pichai was made public on Monday, around the time of the API announcement. It read that he would defend the integrity of his company's products ahead of a congressional hearing where he was expected to face tough questions including ones surrounding the October Google+ data breach.

"We work hard to ensure the integrity of our products, and we've put a number of checks and balances in place to ensure they continue to live up to our standards," Pichai's testimony read. "I lead this company without political bias and work to ensure that our products continue to operate that way. To do otherwise would go against our core principles and our business interests."

Google+ quickly slipped into irrelevance after its launch in 2011, seemingly in an attempt to rival Facebook which ultimately failed as Zuckerberg's venture, recipient of much criticism for the past few years, still retains market dominance.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.