New Vulnerability to be Found in Google+

Due to this vulnerability it was possible to obtain private information of 52.5 million accounts
11 December 2018   729

Google decided to close the social network Google+ not in August 2019, but in April. The reason was another vulnerability in the API, due to which it was possible to obtain private information of 52.5 million accounts. The company plans to close the social network API until mid-March 2019.

By December 10, 2018, the following error information was published:

  • Third-party applications requesting access to profile data, because of the bug in the API, received permission to view information, even if it is hidden by privacy settings;
  • the names of users, their email addresses, information about occupation, age and other confidential information were at risk;
  • passwords, financial data and national identification numbers have not been compromised;
  • the company has no evidence that anyone has exploited the vulnerability;
  • the error was fixed within 6 days: from November 7 to November 13, 2018.
  • Google said it sends notifications to all users affected by the bug.

The previous data leak of Google+ users occurred in October 2018. Then about 500 thousand accounts were compromised. The attackers could get the names, email addresses, age, gender and occupation of users.

Vulnerabilities to be Found in Android & Google Photo

As reported, they are already patched, but affected millions of users around the world
21 March 2019   122

Detected bugs in Android and Google Photos, which led to data leaks. They are already patched, but affected millions of users around the world.

The Android vulnerability was covered in the WebView component and affected all versions of Android from 4.4 and above. WebView allows you to embed web browsing into an Android application and was originally part of Chromium. This means that the vulnerability applies not only to the mobile version of Chrome, but to all Android browsers based on this engine.

Using a vulnerability in WebView, an attacker could gain access to user accounts, browser history and other data.

It turns out that the web version of the Google Photo service revealed user data when attacking via third-party channels. An attacker can get the metadata of the photos, as well as information about where the picture was taken.