Security Weekly 57

Security Week 39: On The Death Of Google+

Last week, Google announced (news) the closure of the social network Google+, but it was done quite unusual. Google is not shy about shutting down projects that have not taken off for various reasons. Many still cannot forgive companies for refusing to support the Google Reader service in 2013, two years after the launch of Google Plus.

However, Google has the right: if a business does not take place, there is a road to it. Interesting reason for closing. In the case of Google Reader, this was a small audience. In the case of Picasa, the desire to focus on the new Google Photos product. But Google+ has been closed for security reasons, and this is a fairly recent argument, which seems to apply for a major service for a large service.

Security Weekly 57 Google Plus Photo 1

The closure of Google+ is announced in a verbose blog post that is generally devoted to the privacy of user data. Concerned about the protection of this data, in early 2018, Google experts launched Project Strobe, an initiative that analyzed third-party applications that have access to Google accounts. In a blog post, Google shares the first four results of this analysis.

  • Result number one: Google+ closes for regular users (but in some form, it will exist for business). The post recognizes the obvious: in seven years, the service has not become popular among users or developers. 90% of user sessions were interacting with Google+ takes less than five seconds (what is it? How to get out of here?).

Security Weekly 57 Google Plus Photo 2

But according to Google, this is not the main or, at least, not the only reason for closing the platform. During the audit, it was discovered that applications can request and access a user profile on the Google+ network. The profile may include (or may not be, voluntarily) the name, email address, profession, gender, and age. The problem agreed that through the API applications access to not only the information about the user but also to the data of friends. Moreover, friends could mark some information about themselves as non-public, but access to it was provided anyway.

  • According to Google, up to 500 thousand users can be potentially endangered – obviously, those who shared their information in response to a request from some application and could thus inadvertently reveal information about friends. But this is all in theory, as the company didn’t find any evidence that it really did that through the Google+ API API. Indeed, why hack Google+ when you have Facebook?

Before finding out what happened here, briefly go over the three other results of the analysis. Conclusion number two: users require more control over the rights of third-party applications. Now, when some service will require access to your Google account (to login or upload something to Google Drive, and so on), you can allow, for example, access to your profile, but deny access to the calendar.

Third update: access to mail is getting tougher. Access to messages, in general, has always been a scandalous topic, so this is a logical action by Google. Fourth news: in Android, application access to calls and SMS will be seriously curtailed. Now only applications for calls and SMS, which the user has set as default, will have full access. This is theoretically good news to protect Trojans from sending out paid SMS, but let’s see how it actually happens.

  • And with Google+, a strange thing comes out. Formally, Google did a great job: they were so concerned about the privacy of users that they shut down a whole social network. This, jokingly, is a precedent, the first case in which a corporation, even in words, mentions safety as one of the reasons for stopping work on a product. On the other hand, the incident itself is somehow rather small.

Let’s compare. That Yahoo stole half a billion accounts. Here, the Equifax credit aggregator loses very sensitive data about half of the US population through a huge hole in infrastructure. Here is a completely similar case: through an insecure API, an absolutely left office downloaded information from the profiles of 50 million Facebook users. If you compare the scale, then Yahoo, Facebook, and Equifax should be closed with disgrace for a long time.

But no, nothing of the kind happened, although the reputation of all three companies has certainly suffered. Yahoo was sold to Verizon at a discount to the original price, Facebook was hauled through the courts and congresses, and security guards tightened the screws to third-party developers. In Equifax, during the scandal, the stock price seriously fell … But then it rose almost to normal values, and the company’s revenue increased.

Security Weekly 57 Google Plus Photo 3

Not that I insist on closing: this way we will be left without hardware, services, and software for a couple of months. The conclusion is security, or rather, the insecurity of products does not so much affect the business or consumer preferences. The author of these lines has a claim to Google+ not in terms of API privacy. Google tried to integrate its social network in general into all products. Because of this, I one day discovered that my smartphone for some time uploaded all the photos to the private photo album Google+, although I didn’t seem to ask for it (apparently, I forgot to remove the unobtrusive tick somewhere) The changes in security policy announced last week partly solve the same problem. They give the user the opportunity to decide, more consciously, which data to open access to, and which to keep with them.

This is a strategic flaw not only Google+. An attempt to integrate everything and everyone, as a rule, leads to vulnerabilities at the junction of different technologies. But in the message of Google, this topic does not rise. It is understandable, the company here is in the position of bees trying to limit the collection, storage, and processing of honey. Ideally, as a user, I would like even more control over my data, not only in relation to third-party developers but also in relation to Google’s internal services. Or Facebook, or any other company.

Nevertheless, the mention of information security, even in such a context when announcing a serious business decision, is good news. This means that Google, Facebook, and other companies are becoming more serious about privacy issues. As in the case of a recent bug in Facebook, both companies are fairly detailed and open about the problem and how to solve it. Will there be even fewer politics and more facts in such messages in the future? Well, we will continue to observe.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.