Google+ API Vulnerability Leads to Demise of Platform

Google announced yesterday that it is shutting down the consumer version of Google+. The news came alongside the reveal of an API vulnerability discovered earlier this year. The company will provide 10 months for users to download their content. 

In early 2018 Google created Project Strobe, an initiative tasked with reviewing third-party developer access to Google account and Android device data. One of Project Strobe’s top priorities was to review all of the APIs associated with Google+, which led to the discovery of a massive vulnerability within the Google+ People API. The issue exposed private information provided by the users of 500,000 Google+ accounts.

The vulnerability was discovered back in March of 2018 and Google says that they immediately patched the bug. When users granted third-party applications access to the information in their profiles, and their friend’s profiles, they were giving away more than they thought. The issue allowed third-party applications to access both public and private profile information. Although Google says they have no reason to believe the issue was ever exploited, an estimated 438 applications may have used this API. Google cannot confirm which users were impacted because they only kept logs for the API for two weeks, something they are touting as a security feature for what it is worth.

In yet another great example of caveat utilitor (user beware), Google seems to place much of the blame on the complexity of managing social media security. The company stated:

“Our review showed that our Google+ APIs, and the associated controls for consumers, are challenging to develop and maintain.”

Along with this news, Google also announced that it is giving consumers more granular control over account permissions with Google OAuth and APIs. The improvements will enable users to have more fine-grained control over what account data they share with each third-party application. In regard to the transition to their API infrastructure, Google stated:

Over the next few months, we'll start rolling out an improvement to our API infrastructure. We will show each permission that an app requests one at a time, within its own dialog, instead of presenting all permissions in a single dialog*. Users will have the ability to grant or deny permissions individually.

Make sure to check out the full announcement to read how to prepare your app for the changes. The changes will start rolling out with new clients this month, extending to existing clients early next year. 

Be sure to read the next Security article: Rapid7 Introduces InsightAppSec API