....did Google just admit to patching a security hole and not announcing it for months? Isn't this what they continuously harangue other organizations for on Google's Project Zero blog?
"As many as 438 applications might have used the API. Google maintains that it didn’t uncover evidence developers were aware of or abused the security flaw, or that profile data was misused. However, it acknowledged that it has no way of knowing for sure because it doesn’t have “audit rights” over its developers and because it keeps a limited set of activity logs." (https://venturebeat.com/2018/10/08/google-security-breach/)
Google wrote: “Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”
"Two terms irked her and simply clashed with Project Zero's practices. "You MUST hold off disclosing the vulnerability in reasonable time, and you MUST get Samsung's consent or inform Samsung about the date before disclosing the vulnerability," said Samsung. "In some cases, Samsung may request not to disclose the vulnerability at all." Again, this clashes with Project Zero's insistence on disclosure."
It's more than that - the Wall Street Journal article says Pichai signed off on not disclosing it to the public. It feels a bit like Google only published this blog post today because they knew WSJ was about to go public:
A memo reviewed by the Journal prepared by Google’s legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.
Chief Executive Sundar Pichai was briefed on the plan not to notify users after an internal committee had reached that decision, the people said.
.... The document shows Google officials knew that disclosure could have serious ramifications. Revealing the incident would likely result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” the memo said. It “almost guarantees Sundar will testify before Congress.”
They found it internally with no evidence of compromise. If a 3rd party had disclosed it, it would be very different. It's actually a very, very simple distinction and it's hard to believe anyone is confused by it but here we are.
Yep: https://www.nbcnews.com/tech/tech-news/google-says-it-found-...
"As many as 438 applications might have used the API. Google maintains that it didn’t uncover evidence developers were aware of or abused the security flaw, or that profile data was misused. However, it acknowledged that it has no way of knowing for sure because it doesn’t have “audit rights” over its developers and because it keeps a limited set of activity logs." (https://venturebeat.com/2018/10/08/google-security-breach/)
Google wrote: “Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”
--
From 2016: "The search engine company publicised a critical Windows bug 10 days after informing the software firm about it" (https://www.theguardian.com/technology/2016/nov/01/google-mi...)
From February: "Microsoft misses Google's 90-day deadline, so Google has published details of an exploit mitigation bypass" (https://www.zdnet.com/article/windows-10-security-google-exp...)
And then: "For the second time in a week, Google reveals another unpatched Windows 10 vulnerability" (https://www.zdnet.com/article/windows-10-bug-google-again-re...)
In August: "Google discloses vulnerability in Fortnite launcher that allowed possible malware installation" (https://www.gamesindustry.biz/articles/2018-08-27-google-dis...)
Again in August, reporting Samsung bugs: (https://www.zdnet.com/article/google-project-zero-heres-the-...):
"Two terms irked her and simply clashed with Project Zero's practices. "You MUST hold off disclosing the vulnerability in reasonable time, and you MUST get Samsung's consent or inform Samsung about the date before disclosing the vulnerability," said Samsung. "In some cases, Samsung may request not to disclose the vulnerability at all." Again, this clashes with Project Zero's insistence on disclosure."