Dec. 10, 2018 – Google revealed today a second bug in the Google+ API that could have been abused to steal the private data of nearly 52.5 million users.
According to a Google spokesperson, the bug came to light following internal tests and was not exploited by any third-party, at least based on current evidence.
Following the discovery of this new API bug, Google has also decided to move the shutdown date for the consumer version of Google+ from August 2019 to April 2019.
Google previously announced its plans to shut down the consumer version of the Google+ social network after the company found another API bug in October that exposed the private profile details of over 500,000 users.
According to an incident report published by Google earlier today, this second bug resided in the Google+ People API endpoint that apps and developers used to get information about user profiles.
Google said the bug allowed apps –which were granted permission to view Google+ profile data– to incorrectly receive permission to view profile information that the user had set to “not-public.”
A full list of the profile data an attacker could have gained access to can be found here, and included information such as name, email address, occupation, age, skills, birthday, nickname, and more.
“In addition, apps with access to a user’s Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly,” Google added.
More sensitive Google+ data like financial information, national identification numbers, or passwords was not affected, the company added.
Google said the bug was introduced in November during a previous platform update and was live for only six days before its engineers discovered the issue.
The company is now notifying users impacted by this issue.
“Our investigation is ongoing as to any potential impact to other Google+ APIs,” Google said.
In addition to moving the Google+ sunset date four months forward, Google also said it would be shutting down all Google+ APIs for the Google+ consumer version within 90 days, way before its April 2019 shutdown date.
Google+ will continue to be available to enterprise customers past April 2019 as an enterprise offering available through the company’s G Suite service. Many companies have adopted the Google+ on-demand platform as an intranet and/or Slack alternative.