[jlarocco]

It's disappointing to see people defending Google on this.

Whether the vulnerability was discovered internally or not, they were leaking people's data, and the responsible thing to do is tell them. Even if it's only a possibility, people have the right to know.

[wglb]

There is no evidence that they were leaking people's data.

[jlarocco]

I don't think that's up for debate. Both the WSJ and Google's own engineers came to the conclusion that they were. If the data wasn't leaking there wouldn't be anything for Google to cover up in their memo.

The only question left is who was affected, and Google doesn't know because they deleted the logs. The responsible thing to do would be notify everybody using that part of the service.

[wglb]

I agree that it is not up for debate. They did not lose any information. The google announcement here https://www.blog.google/technology/safety-security/project-s... says that they looked for leakages and We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.

The difference is between data being exposed and data being leaked. The difference is quite critical.

[jlarocco]

First, I don't think the difference between exposed and leaked matters with respect to whether they need to notify users about it.

In any case, I don't believe their answer. Once the API response leaves the server with extra information there's no way for them to know which fields the caller looked at because it's all done client side.

[mtgx]

They only "know" the data didn't leak in the 2 weeks prior to them finding out about it.