Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Google Privacy Security Social Networks The Internet

The Breach That Killed Google+ Wasn't a Breach At All (theverge.com) 75

Posted by BeauHD from the technically-speaking dept.
An anonymous reader quotes a report from The Verge: For months, Google has been trying to stay out of the way of the growing tech backlash, but yesterday, the dam finally broke with news of a bug in the rarely used Google+ network that exposed private information for as many as 500,000 users. Google found and fixed the bug back in March, around the same time the Cambridge Analytica story was heating up in earnest. [...] The vulnerability itself seems to have been relatively small in scope. The heart of the problem was a specific developer API that could be used to see non-public information. But crucially, there's no evidence that it actually was used to see private data, and given the thin user base, it's not clear how much non-public data there really was to see. The API was theoretically accessible to anyone who asked, but only 432 people actually applied for access (again, it's Google+), so it's plausible that none of them ever thought of using it this way.

The bigger problem for Google isn't the crime, but the cover-up. The vulnerability was fixed in March, but Google didn't come clean until seven months later when The Wall Street Journal got hold of some of the memos discussing the bug. [...] Part of the disconnect comes from the fact that, legally, Google is in the clear. There are lots of laws about reporting breaches -- primarily the GDPR but also a string of state-level bills -- but by that standard, what happened to Google+ wasn't technically a breach. Those laws are concerned with unauthorized access to user information, codifying the basic idea that if someone steals your credit card or phone number, you have a right to know about it. But Google just found that data was available to developers, not that any data was actually taken. With no clear data stolen, Google had no legal reporting requirements. As far as the lawyers were concerned, it wasn't a breach, and quietly fixing the problem was good enough.
This discussion has been archived. No new comments can be posted.

The Breach That Killed Google+ Wasn't a Breach At All More

The Breach That Killed Google+ Wasn't a Breach At All

Comments Filter:

  • shocked (Score:1)

    by Anonymous Coward
    The true shock is that their was as many as 500k users of google+, I guess even a flea infested mangy dog attracts some people.

    • It may be small and flea ridden, but at least it's not Facebook.

    • well google themselves admit they aren't active users, most are people who signed up when it was required to get to youtube or things. That being said from what I've seen G+ interface and use wise I always found better than facebook... Though I value my privacy and don't give a crap about what my "friends" would say publicly to a full audience, so I don't really comprehend the appeal of either.

      • The Circles concept is sound even if the average user didn't quite grasp the implementation.

        There should really be a universally interoperational social networking platform standard that isn't controlled by any single corporation or country. Diaspora has many good ideas, but unfortunately lacks resources.

  • Really? (Score:3)

    by Chris Katko ( 2923353 ) on Wednesday October 10, 2018 @06:45PM (#57458434)

    The company that thinks it's okay to censor US citizens, and now Chinese citizens, build weapons for the US government, track every citizen on the planet, also has no problem covering up leaks of... tracking every citizen on the planet?

    Tim "Don't-be-Evil is was the stupidest rule ever." Cook

    Color me surprised.

    • I'd give you mod points if I had them.

      Clearly, do no evil also includes telling everyone much later if the really screw things up. I'm not sure they have a method of knowing if there was data exfiltration, so it's just another day for the Alphabet soup.

      Nice of them to give notice. Also nice of them to have fixed it first, before cashiering it with no rational replacement, just a failed experiment in giving Facebook heartburn. Blah.

  • This is some mighty fine concern trolling (Score:5, Interesting)

    by rsilvergun ( 571051 ) on Wednesday October 10, 2018 @06:49PM (#57458452)
    I like how they try to tie it to the Cambridge Analytics scandal to get a rise out of the community. Yes, Google is not required to report every bug they fix when no breach occurred. There's nothing wrong with that. As for for shutting down Google+, it was as good a time as any. If they're going to start having to worry about bad press over a dead product they're going to finish killing it.

    This reads like a hit piece on google. I can't imagine why [youtube.com].

    • Re: (Score:3)

      by mattyj ( 18900 )

      Er, the climate against tech industry at the time of the Cambridge is where the comparison comes in. In other words, Google probably has other skeletons in their closet they didn't want the feds sniffin' around to find. If you had basic English reading comprehension skills you could figure that out. Nobody was comparing one incident to the other, it was Google itself, in the memos, that specifically cited Cambridge as a factor in them not disclosing this bug.

      • Anybody with any sense at all doesn't want the Feds nosing around their business. It's not an accident that the system is set up so that you commit at least 3 felonies a day.

  • Just Google offering access to the information it collects from its users to its actual customers. Yeah, that makes it all better.

    Let’s remember this the next time Project Zero broadcasts the shortcomings of some other companies’ products.

  • Inept Google (Score:5, Interesting)

    by mattyj ( 18900 ) on Wednesday October 10, 2018 @06:57PM (#57458494)

    Lost in all this discussion is the ineptitude of Google's engineers, security auditors, API designers, testers and who knows who else that would let something like this slip through unnoticed for so long. I no longer question Googel's ethics (they're bad) but more and more I'm questioning what kind of tech sweatshop they're running.

    And what else is lurking out there that will (un?)intentionally give those of us pause that have already absolved ourselves of everything G.

    • Google has a lot of good programmers, but lately they've hired a lot of bad programmers, too. There are entire books written about how to pass the job interview at Google, and so the interview process has become less and less accurate at determining skill level.

    • Re: (Score:2)

      by Njovich ( 553857 )

      Bugs that arise out of the interaction between services are notoriously hard to find. It's easy to call Google security inept, but realistically they have some of the best in business.

    • Re: (Score:2)

      by Dan667 ( 564390 )
      of all the things you go after Google's ethics? Compared to facebook, microsoft, or amazon among others their saints.

    • Too few people were using G+ for anyone to notice the bug. I think they are just using it as an excuse to kill off G+, so they can focus more on Social Justice.

  • Ha! Proof of time travel: Here I am on the east coast of the US at 6:56pm, and this story was posted at 7:40pm. Unless BeauHD is on a ship in the Atlantic, I call shenanigans!
    (Ireland isn't close enuf for only 5 posts since then...)

  • Lawyers have a strange way of thought... (Score:5, Insightful)

    by Cochonou ( 576531 ) on Wednesday October 10, 2018 @07:19PM (#57458556) Homepage
    But crucially, there's no evidence that it actually was used to see private data, and given the thin user base, it's not clear how much non-public data there really was to see. The API was theoretically accessible to anyone who asked, but only 432 people actually applied for access (again, it's Google+), so it's plausible that none of them ever thought of using it this way.
    As far as the lawyers were concerned, it wasn't a breach, and quietly fixing the problem was good enough.

    In this particular case, it seems they would need to provide evidence that no data was accessed, rather than saying that they see no evidence that data was accessed.

    • There were 400 people who could have accessed a list og names and email addresses if they figured out how, and there is no reason to believe any of them did.

      If that's the standard for a situation that has to be reported, nearly every company in the world has a situation to report, because there are 400 people who can access customer data, if they figure out how.

      For every large company, 400 employees have some access to customer data. For all the smaller companies, half of the attendees at Defcon (7,000 pe

      • Re: (Score:2)

        by ljw1004 ( 764174 )

        and there is no reason to believe any of them did.

        That's a slippery sentence to make. We have no evidence either way, of course. So anyone's belief on this matter must just be based on their personal understanding of industry trends about vulnerability exploitation, extrapolated to this case.

        If you'd just said "I have no reason to believe" then that would have been an easy statement to make: that your understanding of industry trends doesn't provide reason for you to believe that the vulnerability was exploited.

        But you actually made a startlingly strong as

      • Yes, but the situation is a little more shady than that. It's not really 438 people, it's 438 third-party applications [www.blog.google] and therefore 438 organisations. How many people behind those organisations ?
        Furthermore, it appears that Google only keeps the log of the third-party API access for two weeks. Given the time window of this vulnerability, it seems quite misleading to go out and say that there is no evidence that this was used.
        I agree with you that the information leaked seems pretty benign. Therefore, th

        • > It's not really 438 people, it's 438 third-party applications and therefore 438 organisations.

          Good point. I guess some organizers could have made more than one app, so technically up to 438 organizations, but your point stands.

          > it seems quite misleading to go out and say that there is no evidence that this was used.

          I've been doing cybersecurity professionally for fifteen years. Every day I and my team find thousands of vulnerabilities. Essentially every company has vulnerabilities. Two days ago w

    • Re: (Score:2)

      by Njovich ( 553857 )

      Do you have any sensitive data on your email or laptop? How about you prove that it wasn't accessed in the years specter and meltdown were not fixed, and until you do we just run a trial by media.

  • There are zero consequences for these corporate PII losses and security breaches, so the rational Friemanite response for a corporation and its fiduciaries is to ignore them. Pay a small fine here and there; admit no fault. Good to go.

  • Someone could have walked in and robbed you blind.

    They didn't, but they could have.

  • I'm going to miss Google+ (Score:5, Interesting)

    by sremick ( 91371 ) on Wednesday October 10, 2018 @10:49PM (#57459316)

    It always frustrated me how "cool" it became to dig on Google+. Journalists, podcasts, etc... it seemed once it caught on that "we all hate Google+ now" it seemed everyone was falling over themselves to make fun of Google+, but without any real substantial reason other than it was the popular thing to do.

    The truth is, there was a LOT about Google+ that was better than Facebook. The Circles thing was extremely smart and useful. Nevermind that the average user is too fucking stupid and/or lazy to bother to learn or make use of it... that doesn't make the feature any less good. It's a failing of the userbase, not the service.

    Honestly one of the real things that killed Google+ early on was the lack of any sort of events feature. This is BIG on Facebook, and in fact many users maintain a FB profile for no other reason than to be notified and invited to events. These people don't post nor read posts. For whatever reason, Google refused to add events into Google+ and this was a huge reason why people who dipped their toes into it early on became disenchanted and never came back. It couldn't replace FB if it lacked a major feature of FB that they cared about.

    Even to this day though Google+ has had the advantage of being a community with far less BS, trolling and spam than Facebook. The signal-to-noise ratio for the Google+ communities I participate in is exponentially better than anything on Facebook. This will be a great loss.

    • Honestly one of the real things that killed Google+ early on was the lack of any sort of events feature. This is BIG on Facebook, and in fact many users maintain a FB profile for no other reason than to be notified and invited to events. These people don't post nor read posts. For whatever reason, Google refused to add events into Google+ and this was a huge reason why people who dipped their toes into it early on became disenchanted and never came back. It couldn't replace FB if it lacked a major feature of FB that they cared about.

      This is why me and my friends abandoned it after jumping over when it first began to open up. It seemed to tie in with everything else Google. It allowed for custom groups of people as FB didn't at the time. They even worked with people's emails that weren't Google email. Google calendar was right there, but there was no integration. Meanwhile, all personal and organizational events in the city were being managed through FB Events. All except for one of us were back on FB in two weeks.

  • Comment removed based on user account deletion

Slashdot Top Deals

We are each entitled to our own opinion, but no one is entitled to his own facts. -- Patrick Moynihan

Close