Google is shutting down the consumer version of its Google+ social network following the discovery of a vulnerability that allowed app developers access to private profile information. While found and patched in March 2018, it was not disclosed until today. According to an internal memo viewed by the Wall Street Journal, Google feared disclosing the issue would be detrimental to its reputation and draw unwanted regulatory attention.
Google reports that it found no evidence that any developer was aware of the bug, or that any abuse occurred. However, up to 500,000 Google+ profiles were affected by the vulnerability, and 438 applications may have used the API.
In a memo viewed by WSJ that was sent to senior executives, including CEO Sundar Pichai, Google's legal and policy staff stated that disclosing the incident would trigger "immediate regulatory interest." For that reason, it delayed releasing the information, though a day before its major annual hardware event is far from ideal timing for any bad press.
Additionally, it's important to note that Google doesn't give the same leeway to vendors under its vulnerability disclosure policy — it promises to wait only 90 days before publicly disclosing the issue. However, Google writes in its blog post that the issue didn't hit the necessary thresholds for disclosure when it came to things like evidence of misuse, or whether there were any actions a developer or user could take in response.
Google says it found the vulnerability as part of its Project Strobe review of third-party developer access to Google account and Android device data. Through Strobe, which launched earlier this year, one of its first priorities was to review all APIs related to Google+.
Beyond finding the bug, Google finally admitted the truth, writing in the blog post:
"This review crystallized what we’ve known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps. The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds."
Google says it will give users a 10-month period to transition out of Google+, slated for completion by the end of next August. It also promises to provide consumers with more information, including options for downloading and migrating data, over the coming months.
Google+ will live on in a limited capacity, however, as an enterprise tool. The company notes that it will be "launching new features purpose-built for businesses," and that it'll share more information in the coming days.
In addition to the sunsetting of Google+, Project Strobe brings in new, more granular controls over the data Google Account owners share with apps.