Google security audit begets product changes, German probe

A Google security audit called Project Strobe was tasked with assessing third-party access to Google account and Android device data and the initial findings uncovered a “glitch” that sparked the shutdown of Google+ and a probe by a German data protection agency.

The Google security audit found issues in different Google products, leading the company to limit the data that apps have access to when connected to Gmail, limit the data available through the Android Contacts API and to give users more control over what data is shared with apps that connect to a Google account.

But, the biggest issue found by the Google security audit was a bug in the Google+ API that gave third-party apps access to certain fields in a user’s profile that weren’t explicitly marked as “public.” Google claimed this only included a user’s name, email address, occupation, gender and age and did “not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.”

“We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any profile data was misused,” wrote Ben Smith, Google fellow and vice president of engineering, in a blog post. “We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.”

Google fixed the bug, and said Google+ for consumers will be shut down in August 2019, though the enterprise version of the app will remain. But the issue was present from 2015 until March 2018 and the company has come under fire because affected users were never notified of the issue after the Google security audit.

Paul Bischoff, editor at Comparitech, said Google was “pleading ignorance in order to shield itself from legal ramifications.”

“It has conveniently left out some crucial figures in its response that would give us a more clear picture of the scope of this incident. For example, Google says 438 applications had unauthorized access to Google+ profile data, but it doesn’t say how many of its users used those apps. And while Google says it performed a cursory investigation and found nothing suspicious, it also notes that it didn’t actually contact or audit any of the developers of those apps,” Bischoff wrote via email. “As popular and high-profile as Google is, and due to the fact that this vulnerability existed for the better part of three years, it would be reasonable to assume the number of occurrences in which Google+ data was obtained and misused is non-zero.”

Baber Amin, CTO West at Ping Identity, said although “both the recent Facebook breach and the Google+ data incident stemmed from API vulnerability issues, there is a fundamental difference between the two.”

“On the one hand, Facebook issued tokens for apps to access user data without checking if an app was authorized to get such access in the first place. In Google’s case, the incident was a result of an API programming error. Google granted permission for developers to access certain information, but the user had to give their consent,” Harguindeguy wrote via email. “The issue arose because Google’s APIs also granted access to a user’s friend’s private information. An important layer was lacking: consent from the user’s friends.” 

Ilia Kolochenko, CEO of High-Tech Bridge, said the timeline of the Google security audit and disclosure “is incomprehensibly long and will likely provoke a lot of questions from regulatory authorities.”

Inability to assess and quantify the users impacted does not exempt from disclosure.
Ilia KolochenkoCEO, High-Tech Bridge

“Inability to assess and quantify the users impacted does not exempt from disclosure. Although, a security vulnerability per se does not automatically trigger the disclosure duty, in this case it seems that Google has some reasonable doubts that the flaw could have been exploited,” Kolochenko wrote via email. “Technically speaking, this is one more colorful example that bug bounty is no silver bullet even with the highest payouts by Google. Application security is a multi-layered approach process that requires continuous improvement and adaptation for new risks and threats. Such vulnerabilities usually require a considerable amount of efforts to be detected, especially if it (re)appears on a system that has been already tested. Continuous and incremental security monitoring is vital to maintain modern web systems secure.”

The first regulatory authority to begin asking questions was Johannes Caspar, data protection and freedom of information commissioner, based in Hamburg, Germany, according to a report by Bloomberg. Caspar noted that no investigation has begun and he had no more information on the Google+ exposure than anyone else.

However, Tyler Moffitt, senior threat research analyst at Webroot, said Google might not face too harsh a penalty for the data exposure discovered by the Google security audit.

“Although it seems that Google has shut down an entire line of business due to this breach, from a GDPR perspective, the company appears to have gotten off light. Had this breach occurred just a few months later, Google could be subject to strict GDPR fines for not keeping user data safe,” Moffitt wrote via email. “It’s important for consumers to realize that connecting apps in social media platforms only increases the amount of valuable information that could potentially be breached, as well as increases attack vectors that hackers can leverage.”