
Google will shut down Google+ four months early after second data leak - bhauer
https://www.theverge.com/2018/12/10/18134541/google-plus-privacy-api-data-leak-developers
======
jdp23
Yikes. A release in November introduced an API bug that was active for about 6
days, impacting 52.5 million users.

* With respect to this API, apps that requested permission to view profile information that a user had added to their Google+ profile—like their name, email address, occupation, age (full list here)—were granted permission to view profile information about that user even when set to not-public.

* In addition, apps with access to a user's Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly.

~~~
morley
FWIW, also from the blog post:

> We discovered this bug as part of our standard and ongoing testing
> procedures and fixed it within a week of it being introduced. No third party
> compromised our systems, and we have no evidence that the app developers
> that inadvertently had this access for six days were aware of it or misused
> it in any way.

~~~
kerng
Yeah, testing in production. I wish the tech industry would stop this madness
and do QA before releasing. It's all about code velocity and shipping things,
we need to hold ourselves to higher standards. I'm afraid unless there will be
legal pressure and a framework it will continue this way.

~~~
scrollaway
There's nothing that says there's no QA/testing _before_ releasing. "Testing
in production" doesn't _remove_ the ability to do testing _before_ production.

You should be testing your software at every step of its lifecycle,
_especially_ in production. Production is where it matters if there's bugs.

------
tptacek
Again, this is poor reporting. It's newsworthy that Google+ found and
disclosed a vulnerability in its own code, but there is no norm for reporting
internally-discovered vulnerabilities and few companies reliably do it,
especially in SAAS platforms where there's no end-user patching activity that
needs to be motivated.

There's a colorable argument that you don't even want this to be a norm,
because of the incentive problems it creates:

[http://flaked.sockpuppet.org/2018/10/09/internal-
disclosure-...](http://flaked.sockpuppet.org/2018/10/09/internal-disclosure-
boring.html)

Regardless: bear in mind that you haven't even heard about a fraction of the
horrible vulnerabilities internal teams at tech companies have discovered over
the years.

~~~
dredmorbius
As someone in the heart of trying to help people get off G+, what's
particularly newsworthy is that after two full months (and two days) of radio
silence on the Google+ sunset, the first substantive comment from Google is
... that the sunset has been advanced by four months.

We'd be recommending people be _starting_ their migrations by Feb - May, and
now they've got to _complete_ them by April. That's something of a PITA.

[https://social.antefriguserat.de/index.php/Exodus_Planning_a...](https://social.antefriguserat.de/index.php/Exodus_Planning_and_Scheduling#Phases)

There are 7.9 million Google+ Communities. Sure, 3.9 million of those are 1
(or fewer) users, but that leaves tens of thousands of 1,000 or more members.
Even at only a few percent of those as active, that's a lot of communities and
people involved. And Google+ has no effective community migration process.

Source on communities: I counted them myself, well, via sampling:
[https://old.reddit.com/r/plexodus/comments/9zx67d/google_com...](https://old.reddit.com/r/plexodus/comments/9zx67d/google_communities_membership_analysis_preview/)

------
fotbr
I haven't followed the Google+ saga, so forgive me if this has already been
answered:

Does the shutdown of Google+ mean that Google Search users will get the +
operator back?

~~~
pas
put the term(s) in double quotes, it does the same thing, no?

~~~
onedognight
“term” is require_exact_match(term) and +term was require(term), so the latter
would, for example, allow spell checking, IIRC.

~~~
ergothus
It's not really "term" \- at least, it can't handle multiple words.

"foo bar" is actually treated like "foo" "bar", which is far less useful than
it once was.

~~~
gniv
> "foo bar" is actually treated like "foo" "bar"

No it isn't. Compare "internal engine" with "internal" "engine":

[https://www.google.com/search?q=%22internal+engine%22](https://www.google.com/search?q=%22internal+engine%22)

[https://www.google.com/search?q=%22internal%22+%22engine%22](https://www.google.com/search?q=%22internal%22+%22engine%22)

~~~
ergothus
You're correct, it does not work as I describe. My description of the problem
was just wrong, so thanks for pointing that out.

However, it doesn't work the way it used to either.

I get frustrated once or twice a year about this, and every time I fight with
the many (old) tutorial examples, but eventually end here:
[https://productforums.google.com/forum/#!topic/websearch/6gH...](https://productforums.google.com/forum/#!topic/websearch/6gHVUEl8y1k/discussion)

Where we see that "foo bar" only says that "foo" will appear in the text
before "bar" (but anything can be between them), and that's assuming the bug
is actually fixed.

That status of "we think it's fixed and users don't agree" is the last I've
ever seen.

~~~
Izkata
Under "search tools", you can change "all results" to "verbatim" to fix that.
Really not obvious, though.

------
svat
There's a lot of great content on Google+. Is anyone working on a script to
archive some of it before it all goes away? Perhaps the fine folks at the
Internet Archive (Wayback Machine)?

Specifically, I'm wondering if someone's working on a script that does the
following:

\- Ideally for each post URL given, it would preserve the post, and the
comments (including the first few ones, not just the last few ones that are
shown by default). It would be nice if it also preserves the +1s (including
who +1d them), but that's optional.

\- And given a user, it would do the above for each (public) post of the user,
or (optionally) use your account to save (just for yourself) the posts that
you can see.

There were a lot of people posting great stuff on G+ and resulting in
wonderful thoughtful conversations (especially a couple of years ago), it
would be shame to lose all that permanently.

(If someone doubts this: see e.g. (if you're interested in mathematics) the
posts by
[https://plus.google.com/+TerenceTao27](https://plus.google.com/+TerenceTao27)
[https://plus.google.com/+TimothyGowers0](https://plus.google.com/+TimothyGowers0)
[https://plus.google.com/+johncbaez999](https://plus.google.com/+johncbaez999)
etc, or
[https://plus.google.com/+DanPiponi](https://plus.google.com/+DanPiponi) for
more CS-y stuff, or for more "general" stuff
[https://plus.google.com/+YonatanZunger](https://plus.google.com/+YonatanZunger)
etc -- and for all these people, especially in 2015-2016 or so.)

 _Edit:_ You can download your _own_ content using Google Takeout
[https://takeout.google.com](https://takeout.google.com). Just learnt of these
other places where this question has been asked / is being asked: this G+
community
([https://plus.google.com/communities/112164273001338979772](https://plus.google.com/communities/112164273001338979772))
and this wiki
([https://social.antefriguserat.de/index.php/Main_Page](https://social.antefriguserat.de/index.php/Main_Page))
-- if you have any answers those may be good places to post too :-)

~~~
pmlnr
> Is anyone working on a script to archive some of it before it all goes away?
> Perhaps the fine folks at the Internet Archive (Wayback Machine)?

The archivist in me is screaming that yes, of course it should be archived.

The web-old-timer in me just shakes his head that people never learn to keep a
copy of their content on the actual free - as in freedom - web, on their own
website. Let it be a mere text file, uploaded by ftp, or a WordPress, or
anything, just do it. Nobody should expect others to archive it for them. (For
more on the topic, see [http://indieweb.org/why](http://indieweb.org/why) ).

Back on topic: talk to
[https://www.archiveteam.org/index.php?title=Main_Page](https://www.archiveteam.org/index.php?title=Main_Page)
.

------
jacquesm
So, how does Google, which we all trust with our precious data end up messing
up like this several times in a row?

If this is the company with the best security team in the world does that mean
we should simply abandon all hope?

~~~
coliveira
My opinion is that, given the infrastructure and practices we have, anything
that is in digital form will be eventually hacked in one way or another. It is
just a matter of time. Unfortunately the best security team can't do anything
about it.

~~~
jacquesm
It's depressing.

~~~
conanbatt
Its liberating. There is no information immortality.

~~~
jacquesm
Hacked data is more, not less immortal.

~~~
conanbatt
Let me rephrase that: there is no information privilege immortality.

------
cosmotron
From Google: [https://www.blog.google/technology/safety-
security/expeditin...](https://www.blog.google/technology/safety-
security/expediting-changes-google-plus/)

------
jcoffland
Does anyone know how or if this will affect OAuth2 logins? Several of the
sites I run rely on Google OAuth2 and get the user's avatar using Google APIs.
It's a simple thing that does not require Google+ but it's unclear to me how
it will be affected.

What is this the 3rd or 4th social network Google has failed at?

~~~
toyg
It won't be affected. Google spent the last few years decoupling every useful
G+ feature into standalone services, the account feature to me looks
completely separate nowadays. Besides, without the OAuth provider, tons of
integrations (that Google actively want on their products) would break.

G+ was such a silly play, when you consider that Google already had the key to
centralized identity all along: the ubiquitous GMail account. They will
continue to push that for sure.

------
Cheyana
It amazes me that a company with all the resources that Google has repeatedly
coming up with ideas and doing absolutely nothing effective with them. They've
had some winners, like Chrome, and their acquisition of Youtube eventually
paid off, but something as simple as a social media site and the best they can
come up with from scratch is Google+.

~~~
skybrian
I don't know what you mean? The G+ UI is pretty good, certainly a lot better
than Facebook was at the time when G+ launched. For a while, a lot of people
were happy there, particularly in certain niches like photography.

It's a shame the implementation was so complex (apparently) that now it can't
be easily maintained. This does seem to happen to Google a lot. It probably
has more to do with too many resources, rather than not enough.

But maybe it's not simple to compete with Facebook. Maybe this has little to
do with technology.

~~~
Daniel_sk
I don't know, but the whole Circles things was overcomplicated and average
users didn't bother to put their followers into different circles, I am not
sure how they thought this would work.

~~~
ocdtrekkie
Circles was fantastic, and continues to be what I wish for in a lot of other
networks. Mainly because there are people I follow loosely (don't mind seeing
the occasional update from), and people I follow religiously (because I know
them personally or care about every single thing they say). I used to maintain
really primarily two feeds. One I cared to always read all the time, and one
I'd browse when I was bored.

G+ mostly mitigated the frustration of it for people who didn't care years
ago: You can just click follow and it puts them in a default following circle.

~~~
jacquesm
Circles is great for geeks who like to have such fine-grained control over
their lives, both online and offline. For the rest of the world it doesn't
really matter, and even if it does it is too difficult to set up and maintain.
A company called Hyves in the Netherlands did much the same thing (but with a
fairly crappy UI) long before Google+ came along. That fell to FB as well.

------
nullsmack
Can we have Google Reader back now?

~~~
hdpq
this is what i was looking for when i saw this headline.

------
garysahota93
They could have done soo much more with Google+ ... The hype was real up until
launch. Really wish they had done things a little differently. Oh well... With
all these leaks, I'm actually really glad they weren't successful with this.

~~~
toyg
Even after launch. But the Real Names policy and lack of write api killed any
momentum.

------
shemnon42
So is this four months per new leak found or "half the distance to the goal
line?"

------
afniljl
I admit I actually rather liked Google+, for certain communities it was really
active and well suited. However now that Google is decoupled and free from G+
shackles, it has really room to take off and grow in new areas, which is
exciting to see. eg G+ logins will now be returned to G or Gmail branding,
probably dramatically increases consumer confidence and mindshare, and other
stuff. Developer teams can be fully redeployed to other products etc. Building
of "micro" communities within Maps, YouTube, etc will accelerate, and that's
really where it should be, rather than forced to accede to G+ product area.

------
qwerty456127
How do I download all the discussions (posts with comments) I have
participated in?

~~~
mikewhy
Google Takeout has two different Google+ entries that may have what you're
looking for.

------
qwerty456127
What are some good alternatives to Google+? I mean microblogs with
subscribers/followers instead of friends, without a strict message length
limit, with first-class comments, letting you to edit your posts and comments
after you submit them and to limit access to particular post to a specific
group of people?

~~~
r721
Dreamwidth (Livejournal fork)? A recent Wired article:
[https://www.wired.com/story/tumblr-porn-bloggers-
dreamwidth-...](https://www.wired.com/story/tumblr-porn-bloggers-dreamwidth-
pillowfort/)

------
ccnafr
Actual announcement: [https://www.blog.google/technology/safety-
security/expeditin...](https://www.blog.google/technology/safety-
security/expediting-changes-google-plus/)

------
harbie
Is it accurate to call this a leak if no one actually took advantage of the
vulnerability?

------
pmarreck
Did they ever unfuck the merging of Google+ comments with YouTube comments?

~~~
dredmorbius
Mostly.

------
newman314
I suppose I’ll ask this here.

Does anyone know of a good way to archive a Google+ group. There is a bunch of
good info about hacking the Kankun smart plug that I would like to preserve.

~~~
dredmorbius
No.

There are some tools.

[https://social.antefriguserat.de/index.php/Data_Migration_Pr...](https://social.antefriguserat.de/index.php/Data_Migration_Process_and_Considerations#Third_Party_Tools)

------
mc32
I really don't care what they do with the consumer version (who uses it?), but
I'd like to see mapping and wayfinding features added to the paid GSuite
version.

------
DSingularity
Data really has become radioactive.

~~~
dana321
That is so true.

Its like most of us live behind this wall of our behavior online, like it
isn't shared unless there is a hack.

But its sold, shared and traded without us knowing it, and used to display a
reality tailored to us with the unintended consequence of us living in a
bubble and not seeing much outside the edge of the bubble.

This site is a great example of bubble breaking.

------
FreeInFlorida
Wait...

Google+ had 52 million users?

That should be the headline.

~~~
InclinedPlane
Everyone with a gmail address or youtube account was strong armed into having
a google+ account, which counts as their "userbase" regardless of whether or
not any of those people actually made use of any google+ specific features.

~~~
hdpq
then it should be more than 52,000,000 people.

~~~
what_ever
The vulnerability did not affect all of the users.

