The consumer version of Google+ is closed. Google’s Facebook competitor appears to have had a vulnerability for years, so that user data could easily be viewed by third parties. Many people had expected that the service would stop with a sigh, but now it turns out that it would happen with a bang.

Yesterday, the Wall Street Journal reported that earlier this year, Google was made aware of a vulnerability in Google+. The company decided not to make them public because it feared reputational damage and an investigation of governments. Google confirms that it was aware of the vulnerability. But it stresses that there is no evidence that there was a developer who has been aware of this bug. Nor have we seen any evidence that the API has been misused, or that profile data has been misused.

Access to data

The vulnerability had an impact on access to data. Users give a third party access to data via the Google+ interface. In doing so, even malicious parties could easily capture data. The names, e-mail addresses, dates of birth, profile photos and gender of more than half a million Google+ accounts would have been vulnerable in this way over the past three years.

Google reports that it has already solved the vulnerability in March. Nevertheless, it plans to close the consumer version of the social medium in ten months’ time. The business version used by G Suite-customers will continue to exist for the time being. This research has confirmed what we have known for some time: that although our developers have put a lot of time and dedication into the development of Google+, it hasn’t been widely picked up by consumers and developers. Ninety percent of user sessions on Google+ take less than five seconds.

Why not unveiled?

Google itself states that the decision not to reveal the vulnerability is the result of an internal investigation. It would have looked at the type of data that was vulnerable, whether Google would be able to determine exactly which users were affected, whether there was evidence of an actual leak and whether additional steps had to be taken by users or developers. None of this was the case.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.