In a mail that the Google team forwarded to concerned users, the search engine giant informed of some unintended technical glitches that had followed a software update and affected Google+ apis. The glitch encountered on 7th November 2018 PT was fixed by 13th November 2018 PT and was limited to Google+ APIs, resulting in “two potential unintended effects”, reveals Google.
One of the glitches included allowing apps that were granted permission only to view user profile information like name, email address, and occupation access to other profile fields than the user permitted or intended.
The second effect was if a user had shared profile information with another user and the second user had granted an app permission to view the public profile fields of the first user, then not only would the app be able to request and view the first user’s public profile fields, as intended; it would also be able to request and view any profile fields shared between the first and second users, but not shared publicly.
While Google accedes to the fact that this issue was limited to profile fields and did not give developers access to case-sensitive information like financial data, national identification numbers, passwords, or similar data generally used for fraud or identity theft, it was nonetheless a cause for concern and sent off red flags since detected by Google’s automated testing. Google has also stated in a way of assurance that they have yet to find any evidence of the app developers inadvertently allowing this access for six days without being aware of the glitch or having misused it in any way.
Additionally, the Google team has provided users with a list of affected fields and the corresponding app names. And in order for users to access information about all third-party apps they may have given permission to access their account to, Google has advised going to security preferences to review ‘Third-party apps with account access.’
The issue has been elaborated on in the Google+ blog post dated December 10th, 2018.