The flawed Google+ People API used by up to 438 applications

Oct 8, 2018 17:43 GMT  ·  By

A Google+ People API bug Google found out about in March 2018, active between 2015 and March 2018, exposed personal information like name, e-mail addresses, occupation, age, places lived, birthday, employers/organizations, and gender (and other less sensitive info) of 500,000 profiles.

The API security issue which led to data leaks affecting 500,000 Google+ profiles was discovered when Google ran the Project Strobe project, designed as an audit of third-party developer access to Android device data and Google accounts.

Although Google stumbled upon the Google+ People API bug in March 2018, they chose not to disclose it publicly because they "found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused."

However, according to the blog post announcing the Google+ API security glitch, Google "made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug."

The bug discovered by Google in one of the Google+ People APIs allowed third-party Google+ applications with access granted by the users to also access private Profile fields marked by the user as not being public. 

The API bug affected 500,000 Google+ accounts and the leaked data is limited to static attached to every profile

Two-weeks before patching the bug, Google analyzed all the data they gathered about the issue and discovered that around 500,000 Google+ accounts were affected, with 438 Google+ apps having used the API until the problem was fixed.

The full list personal information third-party applications had access to because of the Google+ People API defect is available on Google+'s People Overview REST API page.

Google says that Google+ will be shut down as an immediate action after finding out that "there are significant challenges in creating and maintaining a successful Google+ product that meets consumers’ expectations."

Furthermore, as Ben Smith, Google Fellow and Vice President of Engineering, states in the company's blog post, the bug appeared after a code changed was made on the Google+ platform following the API's initial launch.

Photo Gallery (2 Images)

Google+ shutting down
Some of the data possibly leaked through the flawed API
Open gallery