Last October, Google announced they were sunsetting the consumer version of Google + following some privacy breaches and low usage. The deadline was August 2019. Because of yet another bug, the demise will come earlier.
One bug too many
A new bug was discovered following the November update. Once again, it affects the API (Application Programming Interface), this piece of software used by third-party applications.
52 million users were in connection with the flawed API. Again, the personal data not usually made public (real name, gender, email, occupation) could be accessed by malicious third-parties. Other personal data such as financial data or password were unaffected.
Quick response to the bug
The bug was identified quickly and patched. The breach lasted 6 days before it was corrected. The last breach had gone on for 3 years and was only announced 10 months after patching.
This time, both the response and the announcement were swift. Google’s monitoring of API usage (which can analyze the past two weeks of usage) indicates no-one took advantage of the breach.
The end of Google + (again)
The decision had been made, last October, to end the consumer version of Google +.
The cover-up of the previous incident, amid the Cambridge Analytica aftermath, didn’t contribute to make Google a transparency champion.
Google’s CEO Sundar Pichai was summoned by the American Senate to explain that cover-up.
The Google + API is flawed and prone to attacks and such breaches were bound to happen again. Each bug lowers trust a little more.
In order to give consumers time to migrate to other services, Google had decided to end its social platform in August 2019. Following the latest bug, the delay is reduced to 90 days, meaning it will end next April.
The Google Suite, used by professionals, will not be affected and maintenance will continue for this service.
Because the handling of the last breach caused quite an uproar, it’s reassuring to see the lesson has been learned. No cover-up or white lies in front of commissions. It seems Google finally sticks to its own Project Zero rules: 90 days to patch a flaw before it is made public.
Or is there a yet bigger flaw which will not have to be released as the service will now close in 90 days… ?