Internet Security Blog - Hackology

Google Plus getting Minus : 3 Year Old Vulnerability

Update: I just stumbled on one of my post from 2011 ‘Google Plus Loosing it Already‘ in which I stated while Google+ was in beta that it might be launched with a ‘fee’ structure , although it took Google 7 years to realize and now they doing what I already stated.

Google plans to shut down Google Plus after a vulnerability was discovered by G+ tech teams during an annual audit. But Google plans of shutting down Google Plus came after that vulnerability and its effect were shared by Wall Street Journal. Fun Fact ? Google vulnerability existed from 2015 till 2018 March (when Google silently patched it) and it was shared to the world by Google when the world knew already.

A List of Dozen Open Source Projects by Google, I am sure you never heard off.

Google Plus Vulnerability

  • Users can grant API access to their Profile data, and the public Profile information of their friends, to Google+ apps.
  • The vulnerability meant that apps(API) also had access to Profile fields that were shared with the user, but not marked as public.
  • 500,000 Google+ accounts were potentially affected.
  • Their analysis showed that up to 438 applications may have used this API.
  • As per Google official post, this data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age.
  • While they state that It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.
  • Google discovered and immediately patched this bug in March 2018. They believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change. (they did not share details of what exactly)

How Google knows User Data was not misused ?

Google says that Google+ was made with privacy in mind and therefore kept the API’s log data for only two weeks. That means Google cannot confirm which users were impacted by this bug. That’s a really lame logic, if you had privacy in mind, shouldn’t Google be careful when making any Code changes and not knowing it is being missed for like 3 years. Google further adds that they ran a detailed analysis over two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Their analysis showed that up to 438 applications may have used this API.

Google found no evidence that any developer was aware of this bug, or abusing the API, and found no evidence that any Profile data was misused. Their conclusion is based on 2 week observation against a 3 year old bug which existed. Seems Sufficient ?

Google Plus Demise
Google+ had a decent start and never thought it would see this day

Why Google didn’t come forward with Google+ Vulnerability ?

We all know Facebook Cambridge Analytica and how it gave a hard time to Facebook. Google internal board meeting came to a conclusion that disclosing this bug at this very moment would result in all the media attention to fall on Google Plus, which would have been really bad for Google.

Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.

The above extract from Google Announcement Project Strobe makes one question, if they could not accurately identify the users to inform how valid their guess work is when they say no data was misused ?

Migrate Google Data and Timeline

Google will announce the Google Plus Data Migration tool, which I will add up here to make it simple when its made available by Google while Consumer Google Plus will cease to exist by August 2019 as Google+ never caught on how Google might have wished for and with this current fiasco, why bother.

Over the coming months, we will provide consumers with additional information, including ways they can download and migrate their data.

The migrating of Google Plus data makes me curious, will they somehow allow us to migrate our data to other social media platforms ? I think it is highly unlikely and if that is the case what they even mean by “Migrate data”

Google Plus Hacked Data

[sociallocker]No, Its not there yet. Its a matter of time before it appears on Darknet and when it does it will make Google look really bad, as their own report categorically stated that Google Plus data has not been misused by any third party app. I wonder how they will justify if at all it appears, Its a wait and watch game for now.[/sociallocker]

2 comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get Wise

Subscribe to my newsletter to get latest InfoSec / Hacking News (1 Email/week)
Utopia p2p Ecosystem