Google sets new rules for third-party apps to access Gmail data

Google ran an internal test and found that as many as 496,951 users may have had their data compromised, according to the Wall Street Journal. A bug in their Google+ People APIs, which potentially exposed the data of over 500.000 users and was promptly patched in March 2018.

Google also announced that, in addition to shutting down Google+, it's revamping its account permissions to allow users to pick and choose which data they share with third-party apps. It did not include phone numbers, the content of emails or messages, or other kinds of communication data.

As Google only keeps two weeks of API logs for its Google+ service, it was impossible for them to determine if the bug was ever misused.

"The flaw was discovered in March, but Google opted not to disclose this vulnerability as it found no evidence that the information had been misused".

In a statement to BleepingComputer, a Google Spokesperson said that their Privacy & Data Protection Office felt it was not necessary to disclose as it did not meet the threshold that would warrant it.

Only apps that directly enhance email functionality will be authorised to access consumer Gmail data, and will be subject to new rules on handling the information as well as security assessments.

The incident also marks the beginning of the end for Google+, which the company plans to shut down over the next year.

Google says that 90 per cent of Google+ user sessions lasted for less than five seconds.

The real concern here is that Google reportedly became aware of the security glitch several months ago but failed to disclose the issue due to "fears that doing so would draw regulatory scrutiny and cause reputational damage".

According to the company, profile information like name, email address and age from some users was available to apps, even if users had not marked it public. Y'know...other than users' data, and consumer trust. However, it's possible that data were abused and Google just doesn't know about it yet.

Google has thus far been able to defer much of the criticism to Facebook and Twitter, but the Google+ bug may thrust it further into the spotlight.

The Google+ data leak bug was found as part of "Project Strobe", a root-and-branch review of what data developers could access from Google accounts, and Android devices.

Related news