Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Google was aware of a flaw that exposed over 500,000 of Google Plus users, but did not disclose it

This is a very bad news for Google that suffered a massive data breach that exposed the private data of over 500,000 of Google Plus users to third-party developers. As a consequence of the data exposure, the company is going to shut down the social media network Google+. The root cause of the data breach is a security […]

social network Google+

This is a very bad news for Google that suffered a massive data breach that exposed the private data of over 500,000 of Google Plus users to third-party developers.

As a consequence of the data exposure, the company is going to shut down the social media network Google+.

The root cause of the data breach is a security vulnerability affecting one of Google+ People APIs that allowed third-party developers to access data for more than 500,000 users.

Exposed data include including usernames, email addresses, occupation, date of birth, profile photos, and gender-related information.

The worse aspect of the story is that the company did not disclose the flaw in the Google+ when it first discovered the issue in this spring because it feared regulatory scrutiny and reputational damage.

“Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal.” reported the Wall Street Journal.

“As part of its response to the incident, the Alphabet Inc. unit on Monday announced a sweeping set of data privacy measures that include permanently shutting down all consumer functionality of Google+.”

Google declared that its experts immediately addressed this vulnerability in March 2018 and that they have found no evidence that any developer has exploited the flaw to access users data. The flaw was present in the Google+ People APIs since 2015.

“We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.” reads a blog post published by Google.

“We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.”

Google_Plus

The choice of not disclosing the vulnerability was probably influenced by the Cambridge Analytica scandal that was occurring in the same period.

“A memo reviewed by the Journal prepared by Google’s legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.” continues the WSJ.

Experts believe that the vulnerability in Google+ is similar to the one recently discovered in Facebook API.

Google will maintain Google+ only for Enterprise users starting from August 2019.

Google also provided information about the Project Strobe program that has seen a privacy internal task force conducting a companywide audit of the company’s APIs in recent months.

“In a blog post on Monday, Google said it plans to clamp down on the data it provides outside developers through APIs. The company will stop letting most outside developers gain access to SMS messaging data, call log data and some forms of contact data on Android phones, and Gmail will only permit a small number of developers to continue building add-ons for the email service, the company said.” concludes the WSJ.
“The coming changes are evidence of a larger rethinking of data privacy at Google, which has in the past placed relatively few restrictions on how external apps access users’ data, provided those users give permission. Restricting access to APIs will hurt some developers who have been helping Google build a universe of useful apps.”
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Google Plus flaw, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]