Google chose not to go public about bug that exposed Google Plus users’ data by Graham Cluley.
From the post:
…
No-one, not even Google, knows for sure how many Google Plus users had their personal data exposed to third-party app developers due to a bug in its API which had was present from 2015 until March this year.But in a blog post seemingly published in an attempt to take some of the sting out of the Wall Street Journal report, Google revealed that – despite approximately 500,000 Google Plus profiles were potentially affected in just the two weeks prior to patching the bug, and 438 separate third-party applications having access to the unauthorized Google Plus data – it has not seen any evidence that any profile data was misused.
…
Estimates of an Internet year vs. a calendar year range from 1 calendar year = 2 Internet years; 1 calendar year = 4.7 Internet years; and, a high of 1 calendar year = 7 Internet years.
To be fair, let’s arbitrarily pick 1 year = 4 Internet years, which means the Google API bug has been around for 13 Internet years.
I’m not a hacker so I certainly wasn’t helping but geez. Not that anyone should have pointed the flaw out to Google by any means. Google’s moves to hide the existence of the bug, speaks volumes about some of us being in ocean going yachts and others in leaking life rafts.
There is no commonality of interests in computer security between the average user and Google. Google offers security as a commodity (think DoD in the cloud) and whether you are secure, well, have you paid Google for your security?
I’m certain that Google will protest, should they bother to notice but can you guess who has a financial interest in your free or nearly so reports of security bugs? (Hint: It’s not me.)
I’ve tried to avoid Google+ since its inception so its death won’t impact me.
I do need to set about learning how to check APIs for security flaws. 😉