- A bug in the Google+ API left data like name, email address and gender of up to 500,000 users exposed
- Google patched the issue earlier this year and didn’t find any evidence of the data being misused
- This is the final nail in the coffin for Google+, which will be shut down by the end of 2019
In the past couple years we’ve seen a few giants either fall under scrutiny for how they’ve handled their user’s personal information –ahem-Facebook!-, or straight up had their user data held for ransom as was the case with Uber.
Now it seems it’s Google’s turn. The search giant left personal information exposed for more than a few users of its Google+ social network. How many users? Up to 500,000.
Luckily, it seems no one took advantage of the exposed data, so we should all be safe.
We, however, will take advantage of this piece of news to kick off a new series of blog posts where we briefly take a look at big companies’ recent vulnerabilities. In them we’ll take a look at what they mean for us as developers, and how we could prevent similar problems from happening to us in the future.
So what happened?
According to a blog post from Google the bug was found on the Google+ People API. Normally, when you granted access to an app via the API, you also gave it permission to read your friends’ public profile information. The bug, though, meant that apps could also see information about your friends that was shared with you, but that wasn’t marked as public on their profiles.
To put it in other words, it’s kind of like making friends with a kid at school just so you can also hang out with his group of friends. And get all of their emails. Also, the kid has 500,000 friends. And none of them know who you are.
What does this mean?
By taking advantage of this vulnerability someone could, by getting permission to read only one user’s profile info, get access to email addresses, first and last name, gender, age, and occupation for his contacts as well.
According to Google up to 438 applications may have used this API, but they didn’t find any evidence of misuse. The issue was patched in March 2018.
How can I prevent issues like these in my app?
This is an interesting case that shows you not only have to be careful with your own code, but also with the third party APIs and libraries you use on it.
One bit of good advice would be to work with the information you need server side, and send only the necessary data over to the front end of your app. If all you need is your user’s name and last name, then only send that and not an object with the whole response from the API. That way your users’ information isn’t as easily available.
Another thing to be very cautious about are the permissions granted to third party applications. The bug that affected Google+ is commonly called Broken Authorization, and it happens when the application fails to correctly validate the information that a third party app or user can obtain from the API.
In other words, the application lacks a secure user role authorization mechanism. This could have been abused by third party applications that use the Google+ People API to leak information about the users and their friends in all sorts of ways.
But what if you do need to share user information? Or what if you think your app may be compromised and don’t want to risk leaking data on your users? Hackmetrix can help you regularly scan your app for over 500 vulnerabilities in just a few clicks. Once the scan is done you’ll get a neat report of everything we found and how it could affect your application. Did we mention you can get started for free?
Are there any specific cases you’d like us to review? Let us know on Twitter, and follow us to keep up more security news and how to avoid or deal with the same vulnerabilities that affect tech giants today.