There is no evidence that the flaw was misused during the six days it was alive, said the tech giant.
Google is closing down its social network Google+ for consumers sooner than planned following the discovery of a new security issue that exposed the data of 52.5 million users.
Only two months ago, Google announced that it would shut down the consumer version of Google+ in a move precipitated by a bug that may have leaked the data of half a million users to external developers.
A new announcement on Monday now reveals that Google has detected another (and similar) glitch that affected one of the social platform’s Application Programming Interfaces (APIs), giving app developers access to users’ profile information such as names, email addresses, ages and occupations – even if their profiles were configured to remain private.
“In addition, apps with access to a user’s Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly,” according to the announcement.
On the other hand, the company gave assurances that more sensitive information, such as “financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft”, was never exposed.
Discovered by Google’s own engineers, the flaw was found to have been shipped with a software update in November. It was fixed within a week, said Google, and there is no evidence that any app developer was aware of or misused the glitch during the six days it was alive.
At any rate, the discovery was enough to prompt the company to move the shutdown date of Google+ for consumers from August 2019 to April 2019. For APIs associated with the platform’s consumer version, the kiss of death will come even sooner – within the next 90 days.
As announced in October, Google+ will continue to be available to enterprise customers.
written by Tomas Foltyn, ESET We Live Security