Washington: Google said it has discovered a new vulnerability in its Google+ social network that could have revealed private data on 52.5m users, just a month after it disclosed an earlier security flaw and announced plans to close down the service.
The new problem was disclosed on Monday, prompting the internet giant to say it will bring forward the date for ending the consumer Google+ service by four months, to April next year.
The company said it had identified the new flaw less than a week after it was introduced, and that it been fixed. There was “no evidence” that any third-party app developers had misused user data as a result of the flaw, it said.
The latest disclosure marks an embarrassing stumble by Google as it tried to plug previous gaps in its privacy protections. It could also hamper its attempts to give Google+ a second life as a collaboration and communication service for workers, after closing down the free consumer version.
Launched in 2011, Google+ was the company’s most ambitious attempt to draw users away from Facebook. Two years after launch, it claimed 300m users for features such as Hangouts, a messaging and video conference service, and photo sharing — both of which were later spun off as separate apps.
But the Google+ feed never developed the kind of active engagement seen in Facebook’s news feed. Google re-purposed it as a comment system for YouTube and an identity layer that could supply user profiles to other Google services.
It has since tried to use it as a platform for collaboration among workers, as part of its business-grade cloud platform. Investment in that service will continue after the consumer version of Google+ is closed, it said.
The company revealed the initial security problem in October. It was discovered during a review of its privacy arrangements begun early in the year, at a time when the leak of Facebook user data to Cambridge Analytica was in the headlines.
The initial bug gave app developers access to personal profile information that users had chosen to keep private, including their age, address and occupation. Google said it had found and resolved the problem in March this year.
The second flaw revealed on Monday had been introduced with a software update that was put in place in November. This risked exposing the same private profile information about users as the first bug, though they were not related.
The flaw did not risk exposing the kind of data typically used for fraud or identity theft, like passwords or financial information, Google said.