The ugly side of the Google+ demise

Oct 12, 2018
Vote on Hacker News

Portrait of a young charming naked man showing silence gesture

 
It’s not really a surprise. Google has announced the end of Google+ for consumers. It seems logical since you probably can’t recall the last time someone told you “please join my Google+ circle so we can stay in touch”. But there is a back story to it. A story of flaws, cover up and a touch of hypocrisy.
 

The facts

 
Google announced this week the demise of its social network Google+. With 90% of users staying on the network for less than 5 seconds at a time, it’s hardly a surprise. This would seem like a wise marketing decision if it hadn’t been triggered by a vulnerability detected last March.
Yet, flaws and bugs happen all the time and Google quickly patched it. So what is the problem?
The problem is that Google only revealed it now, 7 months later. Amid the launch of the new Pixel 3 phones, bound to drain all the attention.
What is even more disturbing is that Google’s chief privacy officer testified before the Senate Commerce Committee on September 26, 2018. That’s two weeks ago. His testimony was on the issue of privacy yet he didn’t mention the bug.
It’s only when the Wall Street Journal published an article on October 8th, stating Google had chosen not to disclose the flaw that the Internet giant made a statement.
 

The bug

 
The vulnerability lied within the Google+ People API (Application Programming Interface). An API is a software intermediary that allows two applications to talk to each other. Here, it gives third-party apps some information located in the Google+ profile.
The flaw was that it also gave access to information that was not meant to be public such as the real name, email address, occupation, gender, age…
This was patched as soon as it was detected: in March 2018
 

The “no harm no foul” explanation

 
Google argues that it didn’t need to be brought to the knowledge of the public as there is no evidence the flaw was used.
The explanations are a bit dodgy though. The flaw potentially affected the accounts of 500,000 users through 438 apps using the API from 2015 until 2018.
Because Google only keeps logs of the past 2 weeks of API usage and because the record was clean during the two weeks preceding the discovery of the bug, it declares no one was affected.
So, sure, the network was seldom used and two weeks of logs were clean but that can’t be proof nothing leaked, ever.
So why did Google put the lid on it?
 

March 2018 was Cambridge Analytica month

 
When the vulnerability was discovered, Facebook was under heavy fire because of the Cambridge Analytica scandal. The Wall Street Journal accessed a memo exposing fears that such disclosure would “draw regulatory scrutiny and cause reputational damage”.
It’s a wonder such a barely used network could draw such damage. Google+ and Facebook don’t compete in the same league, well not anymore.
Unless, maybe, Google needs to hide other intrigues.
 

Project Strobe, Project Zero, and the hypocrisy twist

 
Project Strobe and Project Zero both come from Google. Strobe was launched early 2018 and looks into third-party access to Google account and Android device data. It is Project Strobe that uncovered the API flaw in March and suggested the shutdown of Google+ for consumers.
Project Zero, on the other hand, has been around for a little while longer. A team of Google security specialists scans software for flaws since 2014. Not just Google software mind you, they look into everything.
The procedure is well established. When a flaw is detected, it is reported to the manufacturer. They then have 90 days to fix it before Google informs the public. Google didn’t hesitate one second to expose a Windows 8.1 bug that wasn’t patched within the 90 days. Including the code to exploit it.
It’s lucky the two services don’t meet on a regular basis or there wouldn’t have been a 7-month lapse between discovery and exposure [editor’s note: sarcasm intended].
 

What next?

 
Despite disclosure amid the noisy Pixel 3 launch, Google may not have heard the end of it yet. It’s not the bug that bothers the public and administrations but the cover-up. The American Senate has asked Google CEO Sundar Pichai to produce the memos requesting the cover-up by October 30th. Along with seven rather intrusive questions seeking to find if other cover-ups took place.
 
With Halloween closing in, let’s see what other monsters are hidden under the Google bed.