Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What's really striking about this to me is that Google didn't disclose the security vulnerability. Google is trying to cover it up by moving the ball from 'there was a breach' to 'we're shutting down G+'. This is why I'm super hesitant to be a Google fanboy. Facebook may have my social media info, but Google has my emails, all of my mobile data, access to a bunch of my assets through Google Domains, GCE etc. Scary stuff.


Uh...it's right there in the blog:

Underlining this, as part of our Project Strobe audit, we discovered a bug in one of the Google+ People APIs:

Users can grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API.

The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public.

This data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age. (See the full list on our developer site.) It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.

We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.

We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.

We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.


> We discovered and immediately patched this bug in March 2018.

I do believe the problem here is that they didn't disclose it in March or April. Disclosing it six months after the fact does not help trust.


Sadly the strategy is working. not seeing much mention of breach on HN


When did "there was a vulnerability" become "there was a breach" ?

I don't understand why it's being reported as a breach.


Google's official statement also doesn't rule out the possibility of a breach.

I think the bigger issue here us that Google did not report the vulnerability/breach when they discovered it. This could be looked into by SEC.


Because breaches come from public vulnerabilities, unless you can prove there was no breach, you should treat it as a breach. This is common information security practice.

Google are unable to prove there was no breach because they didn't keep sufficient logs, which is also not acceptable in modern security practice.


> This is common information security practice.

No it isn't.

If every vulnerability in every product turned into a "We've been breached" disclosure the industry would be a disaster.

Yeah, they didn't keep sufficient logs and they fucked up really badly there. Still silly to call it a breach.


The industry is a disaster because companies don't disclose potential breaches.


Nice they spent so much time on keeping Microsoft honest. Would have been better if they aimed their sights on their own products a bit longer.


I must have skimmed over it in the article, I only know because it's in the comments. That should have been the headline, imo. Own up to it like other vendors do. I thought Google was good with security, this is a good way to get one of the few positive points about this monolith changed.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: