Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Breach That Killed Google+ Wasn't a Breach At All (theverge.com)

Posted by BeauHD on from the technically-speaking dept.

An anonymous reader quotes a report from The Verge: For months, Google has been trying to stay out of the way of the growing tech backlash, but yesterday, the dam finally broke with news of a bug in the rarely used Google+ network that exposed private information for as many as 500,000 users. Google found and fixed the bug back in March, around the same time the Cambridge Analytica story was heating up in earnest. [...] The vulnerability itself seems to have been relatively small in scope. The heart of the problem was a specific developer API that could be used to see non-public information. But crucially, there's no evidence that it actually was used to see private data, and given the thin user base, it's not clear how much non-public data there really was to see. The API was theoretically accessible to anyone who asked, but only 432 people actually applied for access (again, it's Google+), so it's plausible that none of them ever thought of using it this way.

The bigger problem for Google isn't the crime, but the cover-up. The vulnerability was fixed in March, but Google didn't come clean until seven months later when The Wall Street Journal got hold of some of the memos discussing the bug. [...] Part of the disconnect comes from the fact that, legally, Google is in the clear. There are lots of laws about reporting breaches -- primarily the GDPR but also a string of state-level bills -- but by that standard, what happened to Google+ wasn't technically a breach. Those laws are concerned with unauthorized access to user information, codifying the basic idea that if someone steals your credit card or phone number, you have a right to know about it. But Google just found that data was available to developers, not that any data was actually taken. With no clear data stolen, Google had no legal reporting requirements. As far as the lawyers were concerned, it wasn't a breach, and quietly fixing the problem was good enough.

29 of 75 comments (clear)

  1. shocked by Anonymous Coward · · Score: 1

    The true shock is that their was as many as 500k users of google+, I guess even a flea infested mangy dog attracts some people.

    1. Re:shocked by Darinbob · · Score: 1

      It may be small and flea ridden, but at least it's not Facebook.

    2. Re:shocked by Riceballsan · · Score: 1

      well google themselves admit they aren't active users, most are people who signed up when it was required to get to youtube or things. That being said from what I've seen G+ interface and use wise I always found better than facebook... Though I value my privacy and don't give a crap about what my "friends" would say publicly to a full audience, so I don't really comprehend the appeal of either.

    3. Re:shocked by Anonymous+Bullard · · Score: 1

      The Circles concept is sound even if the average user didn't quite grasp the implementation.

      There should really be a universally interoperational social networking platform standard that isn't controlled by any single corporation or country. Diaspora has many good ideas, but unfortunately lacks resources.

      --

      Should invading one's peaceful neighbours be opposed, or rewarded with trade deals?

  2. Really? by ckatko · · Score: 2

    The company that thinks it's okay to censor US citizens, and now Chinese citizens, build weapons for the US government, track every citizen on the planet, also has no problem covering up leaks of... tracking every citizen on the planet?

    Tim "Don't-be-Evil is was the stupidest rule ever." Cook

    Color me surprised.

    1. Re:Really? by postbigbang · · Score: 1

      I'd give you mod points if I had them.

      Clearly, do no evil also includes telling everyone much later if the really screw things up. I'm not sure they have a method of knowing if there was data exfiltration, so it's just another day for the Alphabet soup.

      Nice of them to give notice. Also nice of them to have fixed it first, before cashiering it with no rational replacement, just a failed experiment in giving Facebook heartburn. Blah.

      --
      ---- Teach Peace. It's Cheaper Than War.
  3. This is some mighty fine concern trolling by rsilvergun · · Score: 5, Interesting

    I like how they try to tie it to the Cambridge Analytics scandal to get a rise out of the community. Yes, Google is not required to report every bug they fix when no breach occurred. There's nothing wrong with that. As for for shutting down Google+, it was as good a time as any. If they're going to start having to worry about bad press over a dead product they're going to finish killing it.

    This reads like a hit piece on google. I can't imagine why.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re:This is some mighty fine concern trolling by mattyj · · Score: 2

      Er, the climate against tech industry at the time of the Cambridge is where the comparison comes in. In other words, Google probably has other skeletons in their closet they didn't want the feds sniffin' around to find. If you had basic English reading comprehension skills you could figure that out. Nobody was comparing one incident to the other, it was Google itself, in the memos, that specifically cited Cambridge as a factor in them not disclosing this bug.

    2. Re: This is some mighty fine concern trolling by Anonymous Coward · · Score: 1

      Microsoft does in fact publish reports if critical customer data leak risk is possible with their cloud services. At least they do for enterprise products.

      How long between Microsoft learning about Meltdown and reporting that to its customers? How long between Microsoft learning about the Hyperthread data leak and reporting that to its customers? And even in your own statement, you very narrowly spell out data leak risk disclosures apply (at least) for cloud services, at least for enterprise products. So, how much wiggle room does that grant them? Enough to drive a truck through, basically.

      Don't get me wrong: I'd love for companies to be more open and transparent when it comes to even the risk of a data leak. It's just that with the flood of *actual* data leaks and no real consequences, it's a lot harder to care about *possible* data leaks. Sure, it's yet another reason to point out the generally hypocritical hyperbole that Google employees espouse when they're point out Microsoft bugs, but efforts to conflate it to actual, wide-spread abuse is basically just political bullshit and Google knows it.The whole media circus around Cambridge Analytica made it plainly clear based upon peoples general response.

      I mean, look at the response right *now* and how absurd it is when Facebook had a similar sort of bug but of a much larger scale (thanks to a much more dominant position). There's a lot more reason to believe that bug was exploited with a much larger user base as the people able to exploit it was basically everyone (IIRC) and not a paltry 0.1% of the users. The perspective of people to joke "good thing I don't use Google+" or similar just sounds so... I can't even begin to describe the feeling.

    3. Re:This is some mighty fine concern trolling by terrycarlino · · Score: 1

      Anybody with any sense at all doesn't want the Feds nosing around their business. It's not an accident that the system is set up so that you commit at least 3 felonies a day.

  4. Not a bug by 93+Escort+Wagon · · Score: 1

    Just Google offering access to the information it collects from its users to its actual customers. Yeah, that makes it all better.

    Let’s remember this the next time Project Zero broadcasts the shortcomings of some other companies’ products.

    --
    #DeleteChrome
  5. Inept Google by mattyj · · Score: 4, Interesting

    Lost in all this discussion is the ineptitude of Google's engineers, security auditors, API designers, testers and who knows who else that would let something like this slip through unnoticed for so long. I no longer question Googel's ethics (they're bad) but more and more I'm questioning what kind of tech sweatshop they're running.

    And what else is lurking out there that will (un?)intentionally give those of us pause that have already absolved ourselves of everything G.

    1. Re:Inept Google by phantomfive · · Score: 2

      Google has a lot of good programmers, but lately they've hired a lot of bad programmers, too. There are entire books written about how to pass the job interview at Google, and so the interview process has become less and less accurate at determining skill level.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Inept Google by Njovich · · Score: 1

      Bugs that arise out of the interaction between services are notoriously hard to find. It's easy to call Google security inept, but realistically they have some of the best in business.

    3. Re:Inept Google by Dan667 · · Score: 1

      of all the things you go after Google's ethics? Compared to facebook, microsoft, or amazon among others their saints.

    4. Re:Inept Google by iMadeGhostzilla · · Score: 1

      Too few people were using G+ for anyone to notice the bug. I think they are just using it as an excuse to kill off G+, so they can focus more on Social Justice.

  6. Lawyers have a strange way of thought... by Cochonou · · Score: 4, Insightful

    But crucially, there's no evidence that it actually was used to see private data, and given the thin user base, it's not clear how much non-public data there really was to see. The API was theoretically accessible to anyone who asked, but only 432 people actually applied for access (again, it's Google+), so it's plausible that none of them ever thought of using it this way.
    As far as the lawyers were concerned, it wasn't a breach, and quietly fixing the problem was good enough.

    In this particular case, it seems they would need to provide evidence that no data was accessed, rather than saying that they see no evidence that data was accessed.

    1. Re:Lawyers have a strange way of thought... by Njovich · · Score: 1

      Do you have any sensitive data on your email or laptop? How about you prove that it wasn't accessed in the years specter and meltdown were not fixed, and until you do we just run a trial by media.

    2. Re:Lawyers have a strange way of thought... by yes-but-no · · Score: 1

      If you are legally required to provide evidence and you fail to, aren't you guilty? Why we need to care if they ran the logs are not? that's in their domain. Out side our scope.

  7. Zero consequences by sphealey · · Score: 1

    There are zero consequences for these corporate PII losses and security breaches, so the rational Friemanite response for a corporation and its fiduciaries is to ignore them. Pay a small fine here and there; admit no fault. Good to go.

  8. EVERY company, by that standard. Phone book info by raymorris · · Score: 2

    There were 400 people who could have accessed a list og names and email addresses if they figured out how, and there is no reason to believe any of them did.

    If that's the standard for a situation that has to be reported, nearly every company in the world has a situation to report, because there are 400 people who can access customer data, if they figure out how.

    For every large company, 400 employees have some access to customer data. For all the smaller companies, half of the attendees at Defcon (7,000 people) could access their data - and that's 7,000 people just in one room.

    Actually never mind hackers, have you ever heard of a phone book? That's a much larger list of names, and the phone book even includes physical addresses. It's delivered to everyone, not just available to a few hundred people.

    If it were credit card information, as opposed to phone book information, that would have been different. My company once had a potential vulnerability that could, in theory, expose credit cards, though that was unlikely. I personally called every customer who could have been affected and let them know they should check their credit card statement just in case.

  9. Hey! Ya left your door unlocked... by bferrell · · Score: 1

    Someone could have walked in and robbed you blind.

    They didn't, but they could have.

  10. I'm going to miss Google+ by sremick · · Score: 4, Interesting

    It always frustrated me how "cool" it became to dig on Google+. Journalists, podcasts, etc... it seemed once it caught on that "we all hate Google+ now" it seemed everyone was falling over themselves to make fun of Google+, but without any real substantial reason other than it was the popular thing to do.

    The truth is, there was a LOT about Google+ that was better than Facebook. The Circles thing was extremely smart and useful. Nevermind that the average user is too fucking stupid and/or lazy to bother to learn or make use of it... that doesn't make the feature any less good. It's a failing of the userbase, not the service.

    Honestly one of the real things that killed Google+ early on was the lack of any sort of events feature. This is BIG on Facebook, and in fact many users maintain a FB profile for no other reason than to be notified and invited to events. These people don't post nor read posts. For whatever reason, Google refused to add events into Google+ and this was a huge reason why people who dipped their toes into it early on became disenchanted and never came back. It couldn't replace FB if it lacked a major feature of FB that they cared about.

    Even to this day though Google+ has had the advantage of being a community with far less BS, trolling and spam than Facebook. The signal-to-noise ratio for the Google+ communities I participate in is exponentially better than anything on Facebook. This will be a great loss.

    1. Re:I'm going to miss Google+ by painandgreed · · Score: 1

      Honestly one of the real things that killed Google+ early on was the lack of any sort of events feature. This is BIG on Facebook, and in fact many users maintain a FB profile for no other reason than to be notified and invited to events. These people don't post nor read posts. For whatever reason, Google refused to add events into Google+ and this was a huge reason why people who dipped their toes into it early on became disenchanted and never came back. It couldn't replace FB if it lacked a major feature of FB that they cared about.

      This is why me and my friends abandoned it after jumping over when it first began to open up. It seemed to tie in with everything else Google. It allowed for custom groups of people as FB didn't at the time. They even worked with people's emails that weren't Google email. Google calendar was right there, but there was no integration. Meanwhile, all personal and organizational events in the city were being managed through FB Events. All except for one of us were back on FB in two weeks.

  11. absolute BS, my grind is... by AndrewFlagg · · Score: 1

    so, someone leaked the internal memo -- probably someone from Sen. Feinstein's office. dam.... isn't anything marked internal stay internal?

  12. Re:EVERY company, by that standard. Phone book inf by ljw1004 · · Score: 1

    and there is no reason to believe any of them did.

    That's a slippery sentence to make. We have no evidence either way, of course. So anyone's belief on this matter must just be based on their personal understanding of industry trends about vulnerability exploitation, extrapolated to this case.

    If you'd just said "I have no reason to believe" then that would have been an easy statement to make: that your understanding of industry trends doesn't provide reason for you to believe that the vulnerability was exploited.

    But you actually made a startlingly strong assertion that there exists no reason to believe that it was exploited -- in other words, you know the relevant set of background industry trends well, and that extrapolating them will lead everyone to the conclusion that there was no exploitation in this case.

    (I respect your other comparisons about what other companies would have to report, but that of course doesn't have bearing on your assertion that I quoted above.)

  13. Re:EVERY company, by that standard. Phone book inf by Cochonou · · Score: 2

    Yes, but the situation is a little more shady than that. It's not really 438 people, it's 438 third-party applications and therefore 438 organisations. How many people behind those organisations ?
    Furthermore, it appears that Google only keeps the log of the third-party API access for two weeks. Given the time window of this vulnerability, it seems quite misleading to go out and say that there is no evidence that this was used.
    I agree with you that the information leaked seems pretty benign. Therefore, they should have had no problems in disclosing the vulnerability... And furthermore, the phone book example you gave is interesting, because it seems that combining the information available within it with the information potentially leaked would give a good basis for identity theft. So, I do not know if this should be considered so benign.

  14. Good point, apps. 37 Windows vulns this month by raymorris · · Score: 1

    > It's not really 438 people, it's 438 third-party applications and therefore 438 organisations.

    Good point. I guess some organizers could have made more than one app, so technically up to 438 organizations, but your point stands.

    > it seems quite misleading to go out and say that there is no evidence that this was used.

    I've been doing cybersecurity professionally for fifteen years. Every day I and my team find thousands of vulnerabilities. Essentially every company has vulnerabilities. Two days ago was patch Tuesday. Microsoft released fixes for 37 new vulnerabilities, just like they do every month. Everybody using Windows is vulnerable to all kinds of stuff, dozens of new ones every month.

    Heck, it would probably be accurate to say 95% of all software applications have vulnerabilities. So if you want to know roughly how many vulnerabilities your organization has, count up how many software applications you use. That's probably about how many vulnerabilities you have, within an order of magnitude.

    So roughly all of our customers were vulnerable to at least some of Windows vulnerabilities that were released Tuesday. How many were breeched? Approximately none. Our company also does intrusion detection, and successful breeches are orders of magnitude less common than vulnerabilities. As a professional, these are two very, very different findings I can make:

    1. A company has a specific vulnerability (much like all the vulnerabilities every other company has).

    2. There is evidence of an actual breech.

    These are very different things. One is as common as water, the other is a major event. It would be very misleading to conflate the two.

  15. Re:Solid by Anonymous+Bullard · · Score: 1

    I had totally missed it. Thank you.

    --

    Should invading one's peaceful neighbours be opposed, or rewarded with trade deals?