Security Week 39: on the death of Google+

    Last week, Google announced ( news ) the closure of the social network Google+, but it was done quite unusual. Google is not shy about shutting down projects that for various reasons haven’t taken off. Many still cannot forgive companies for refusing to support the Google Reader service in 2013, two years after the launch of Google Plus.

    However, Google has the right: if a business does not take place, there is a road to it. Interesting reason for closing. In the case of Google Reader, this was a small audience. In the case of Picasa, the desire to focus on the new Google Photos product. But Google+ has been closed for security reasons, and this is a fairly recent argument, which seems to apply for a major service for a large service.

    The closure of Google+ is announced in a verbose blog post , which is generally devoted to the privacy of user data. Concerned about the protection of this data, in early 2018, Google experts launched Project Strobe, an initiative that analyzed third-party applications that have access to Google accounts. In a blog post, Google shares the first four results of this analysis.

    Result number one: Google+ closes for regular users (but in some form it will exist for business). The post recognizes the obvious: in seven years, the service has not become popular among users or developers. 90% of user sessions where interacting with Google+ takes less than five seconds (what is it? How to get out of here?).

    But according to Google, this is not the main or at least the only reason for closing the platform. During the audit, it was discovered that applications can request and access a user profile on the Google+ network. The profile may indicate (or may not be, voluntarily) the name, email address, profession, gender and age. The problem was that, through the API, applications had access not only to information about the user, but also to the data of friends. Moreover, friends could mark some information about themselves as non-public, but access to it was provided all the same.

    According to Google, up to 500 thousand users could be potentially endangered - obviously, those who shared their information in response to a request from some application and could thus inadvertently disclose information about friends. But this is all in theory, as the company didn’t find evidence that someone actually did this through the API API . Indeed, why hack Google+ when you have Facebook?

    Before finding out what happened here, briefly go over three other analysis results. Conclusion number two: users require more control over the rights of third-party applications. Now, when some service will require access to your Google account (to login or upload something to Google Drive, and so on), you can allow, for example, access to your profile, but deny access to the calendar.

    Third update: access to mail is getting tougher. Access to messages in general has always been a scandalous topic, so this is a logical action on the part of Google. Fourth news: in Android, application access to calls and SMS will be seriously curtailed. Now only applications for calls and SMS, which the user has assigned as default, will have full access. This is theoretically good news to protect Trojans from sending paid SMS, but let's see how it actually happens.

    And with Google+, a strange thing comes out. Formally, Google did a great job: they were so concerned about the privacy of users that they shut down a whole social network. This, jokingly, is a precedent, the first case in which a corporation, even in words, mentions safety as one of the reasons for stopping work on a product. On the other hand, the incident itself is somehow rather small.

    Let's compare. That Yahoo stole half a billion accounts. Here, the Equifax credit aggregator loses very sensitive data about half of the US population through a huge hole in infrastructure . Here is a completely similar case: through an insecure API, an absolutely left office downloaded information from profiles of 50 million Facebook users. If we compare the scale, then Yahoo, Facebook and Equifax should be closed with disgrace for a long time.

    But no, nothing of the kind happened, although the reputation of all three companies has certainly suffered. Yahoo was sold to Verizon at a discount to the original price, Facebook was hauled in ships and congresses, and security guards tightened the screws to third-party developers. At Equifax during the scandal, the stock price seriously fell ... But then it rose almost to normal values, and the company's revenue increased.

    Not that I insist on closing: this way we will be left without hardware, services and software for a couple of months. The conclusion is: security, or rather, the insecurity of products does not so much affect the business or consumer preferences. The author of these lines has a claim to Google+ not in terms of API privacy. Google tried to integrate its social network in general into all products. Because of this, I one day discovered that my smartphone for some time uploaded all the photos to the private photo album Google+, although I didn’t seem to ask for it (apparently, I forgot to remove the unobtrusive tick somewhere). The changes in security policy announced last week partly solve the same problem. They give the user the opportunity to decide, more consciously, which data to open access to, and which to keep with them.

    This is not only a strategic drawback of Google+. An attempt to integrate everything and everyone, as a rule, leads to vulnerabilities at the junction of different technologies. But in the message of Google, this topic does not rise. It is understandable, the company here is in the position of bees trying to limit the collection, storage and processing of honey. Ideally, as a user, I would like even more control over my data, not only in relation to third-party developers, but also in relation to Google’s internal services. Or Facebook, or any other company.

    Nevertheless, the mention of information security, even in such a context when announcing a serious business decision, is good news. This means that Google, Facebook and other companies are becoming more serious about privacy issues. As in the case of a recent bugon Facebook, both companies are fairly detailed and open about the problem and how to solve it. Will there be even less politics and more facts in such messages in the future? Well, we will continue to observe.

    Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.

    Also popular now: