The end of Google+: Low usage and an API bug that exposed user data

Google has announced that it will be closing down the consumer version of Google+, its failed answer to Facebook, and is introducing more granular Google Account permissions, new limits for third-party apps that seek permission to access users’ Gmail data, and new limits for apps’ abilities on Android devices.

The Google+ problem

Ben Smith, Google Fellow and VP of Engineering, cited “significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations” and low usage and engagement as the reason behind the Google+ sunsetting.

“90 percent of Google+ user sessions are less than five seconds,” he noted.

Among the cited challenges is surely that of keeping user data secure and private. In a post-GDPR world and with strong user privacy laws popping up, data breaches are becoming a big headache for companies that handle user data.

At the same time, Smith shared details about a security vulnerability they found in one of the Google+ People APIs, which could have allowed third-party apps to access non-public fields in users’ Profile.

“We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change,” he said.

As they found “no evidence that any developer was aware of this bug, or abusing the API,” and it was impossible to tell how many or which users were potentially affected, the company’s Privacy & Data Protection Office decided against informing users and the wider public about it as, after taking in consideration all factors, they felt they weren’t legally required to.

Simultaneously with this announcement, The Wall Street Journal reported on an internal Google memo from Google’s policy and legal teams to senior executives that warned about the likelihood of regulatory scrutiny and a possible PR nightmare should they go public with the discovered vulnerability.

“Unlike the recent Facebook breach, this disclosure timeline is incomprehensibly long and will likely provoke a lot of questions from regulatory authorities,” says Ilia Kolochenko, the CEO of web security company High-Tech Bridge.

“Inability to assess and quantify the users impacted does not exempt from disclosure. Although, a security vulnerability per se does not automatically trigger the disclosure duty, in this case it seems that Google has some reasonable doubts that the flaw could have been exploited. Further clarification from Google and technical details of the incident would certainly be helpful to restore confidence and trust among its users currently abandoned in darkness.”

Tyler Moffitt, Senior Threat Research Analyst at Webroot, pointed out that although it seems that Google has shut down an entire line of business due to this breach, from a GDPR perspective, the company appears to have gotten off lightly – had this breach occurred just a few months later, Google could be subject to strict GDPR fines for not keeping user data safe.

“It’s important for consumers to realise that connecting apps in social media platforms only increases the amount of valuable information that could potentially be breached, as well as increases attack vectors that hackers can leverage,” he added.

The customer version of Google+ will wind down over the next ten months, and Google will “provide consumers with additional information, including ways they can download and migrate their data.”

Smith said that Google+ will still exist as an enterprise offering and that they will be launching new features purpose-built for businesses.

Other announced changes

Google is also working on making it easier for users to see and control what data they share with third-party Gmail and Android apps.

“Going forward, consumers will get more fine-grained control over what account data they choose to share with each app. Instead of seeing all requested permissions in a single screen, apps will have to show you each requested permission, one at a time, within its own dialog box. For example, if a developer requests access to both calendar entries and Drive documents, you will be able to choose to share one but not the other,” Smith explained.

When it comes to Gmail, only apps directly enhancing email functionality will be authorized to access this data, and only if they can prove they can handle it securely.

And only apps that the user has selected as their default app for making calls or text messages will be able to ask for permission to access a user’s phone (including call logs) and SMS data. Voicemail and backup apps will be the exception to this rule.