Google has unearthed another Google+ API bug, which prompted it to accelerate the sunsetting of all Google+APIs and that of the consumer version of Google+.
The API bug
The bug was introduced in November through a software update and was discovered as part of the company’s ongoing testing procedures.
“No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way,” David Thacker, VP of Product Management, G Suite, explained.
“We have confirmed that the bug impacted approximately 52.5 million users in connection with a Google+ API.”
The bug allowed apps to view user profile information that was not shared publicly, but did “not give developers access to information such as financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft.”
All of the Google+ APIs will be shut down within the next 90 days.
“Google believes that no records were stolen and the vulnerability has been patched, noting that this is a proactive public announcement. Several of these proactive exposure announcements have occurred recently, so this may be the beginning of a trend,” Imperva CTO Terry Ray commented for Help Net Security.
“It seems companies have begun letting users know about exposures, whether in the hopes of some goodwill if something is found to be stolen and/or in the hopes that users will review their account statements and be extra vigilant when vetting e-mail and other communications against scammers.”
He also pointed out that the API vulnerability threat is a growing concern for businesses because applications are critical to doing business across industries.
“As we’ve seen over the last year of breaches, APIs are particularly vulnerable to third-party application security coding errors. Web applications have been quickly growing more complex as users and companies demand more from their online, mobile and connected device experiences. I fully expect to see more around API exposures and breaches as this complexity grows,” he concluded.
The end of consumer Google+
The consumer version of Google+ will be no more by April 2019 (the shutdown was initially planned for August 2019).
“We want to give users ample opportunity to transition off of consumer Google+, and over the coming months, we will continue to provide users with additional information, including ways they can safely and securely download and migrate their data,” Thacker added.
As the company announced before, the enterprise version of Google+ is (for now) safe from the axe and the company plans to continue to invest in it.