It has been reported that Google is closing down its social network Google+ after users’ data was exposed. It will shut down over the next ten months after it was revealed a software bug meant information that people believed was private had been accessible to third parties between 2015 and 2018. Up to 500,000 users had been affected, Google said, and data exposed is believed to include people’s names, email addresses, birth dates, profile photos, and gender. According to reports, the company knew about the issue in March but did not disclose it for fear of regulatory scrutiny. Security experts commented below.
Gary McGraw, Vice President Security Technology at Synopsys:
“First Facebook, now Google. Software problems at huge tech companies continue to expose “the product,” which in the case of advertising-driven tech companies happens to be your data.
Getting software security right is difficult, but not impossible. Just as was the case in the Facebook “View As” design flaw, we see evidence in this Google+ case of just how tricky solid software engineering can be even for tech wizards. Making sure that APIs do not accidentally break security and privacy requirements is super important and is an aspect of design. Design flaws sometimes emerge in the gaps between systems that might otherwise seem fine on their own. The mind boggling complexity of today’s commercial systems is a major factor here, making systematically uncovering and correcting design flaws when software is being designed and built harder than ever.”
Bill Holtz, CEO at Comodo CA:
“Google’s tagline, ‘people should assume that the web is inherently safe,’ fosters confidence in many people but skepticism in many others. The web may be inherently safe based on large numbers, but try telling that to the people who get hurt daily on the web because their identity is compromised, their credit cards are compromised, or their privacy is invaded. Honesty and full disclosure are necessary in the security business – it’s the difference between being in business or not, and we are fine with that. We are in the trust business and should be held to a high standard. Others in our business that have failed those standards have been put out of business, by Google.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.