Feeds

back to article Google Buzz bug exposes user geo location

Already besieged by complaints of shoddy user privacy, Google Buzz is was susceptible to exploits that allow an attacker to commandeer accounts and even learn where victims are located, a security researcher said Tuesday. The XSS, or cross-site scripting, vulnerability is unusual because it affects google.com, the domain that …

COMMENTS

This topic is closed for new posts.
WTF?

How is this a flaw?

The whole point of buzz is geo location.. it even lists its 'buzzes' in geo order not time order - along with the location and a link to pinpoint the user on google maps.

I don't think much of a flaw that allows you to use the service as it's meant to be used!

1
3
FAIL

Time to act?

Withdraw Buzz

3
2
Black Helicopters

Oh great ....

... now the satellites can keep track of the black helicopters.

Synergy on a whole new level.

3
0
Big Brother

Meh.. so what?

Twitter, Facebook, Myspace and the likes have all had countless bugs in their systems.. it happens to us all! if people are so worried about their information on the internet .. don't bloody put it on the internet.

4
4

I signed up for email, not for twitbook

So what? I signed up for Gmail as a webmail provider - now they've added this Buzz thing I never asked for, that I cannot turn off. I can stop it from being displayed in Gmail - but that doesn't mean people can't follow me.

As a mail user only this only means extra vulnerabilities in my Gmail account as well as time wasted to try and ensure my info doesn't go public.

3
0
Silver badge
Stop

Er, you *can* turn it off

http://www.metro.co.uk/tech/812817-how-do-i-turn-off-google-buzz

HTH

1
0
Go

Buzz Can Be Switched off

Go to the bottom of GMail, just above c2010 Google, 'turn off Buzz'.

Go on, you know you want to...

0
0

That's actually new

This article has been updated :

http://mail.google.com/support/bin/answer.py?hl=en&answer=171460

A couple of days ago it still said that "turn off buzz" only removed the Buzz entry in Gmail but it did not disable it.

The lines about removing your profile first are very recent.

It's also worth noting that even if you delete your profile, if you have made any posts on anyone's Buzz page, these posts will remain unless you go and remove them manually first....

You didn't seriously think it was that simple did you??

0
0
Thumb Up

bad press = bugs fixed

You need stories shaming sites for dropping the ball on security, otherwise the fix won't be a priority. If its not fixed by now I bet its fixed this time tomorrow.

5
0
Pirate

His nickname

"RSnake"

Really, he's never said this out loud...

Sounds like a gay pron star

4
1

Whuuuttt?

Google's geolocation abilities, now built into their apps to show just how cool they are, are being exploited nefariously?

Well I never!

3
1

Hmm...

"[...]and there are no indications the flaw has been exploited, he said."

Except, I assume it was exploited by TrainReq in order to report the vulnerability, so it's been exploited at least once. I mean, you need to know that it actually happens before you report it. So, in other words, there is a vulnerability, and Google thinks it hasn't been exploited, even though it has.

2
0
FAIL

RE: marschw

...by that logic, nothing has a 100% safety record - simply because during testing etc

0
1
Black Helicopters

Google Ate My Children

What is it with El Reg and Google? Have they p!ssed in your kettle or what?

Why don't you just rename your domain wehategoogletheyaretrulyevil.co.uk?

Oh my lordy, I was buzzing yesterday and today. That'll have given away my geolocation and the people in the black helicopters will now be able to find me and use my credit card details to buy their fuel. Hide under the desks until they go away.

Security lapse my @rse. I warn you, you're beginning to sound silly.

As I said to the MS salesman who failed to persuade me to live.com instead of Google Apps: "The good news is, you're not paranoid. The bad news is, because everyone is out to get you."

2
4
Pint

El Reg

Well, sir, this is El Reg. AKA We bash anyone.

If this respectable organisation were to buy this "wehategoogletheyaretrulyevil.co.uk" domain, it would need to buy "wehateappletheyaretrulyevil.co.uk", "wehatemicrosofttheyaretrulyevil.co.uk", "wehatehptheyaretrulyevil.co.uk" and so on.

Back in topic, well, surely you are a good person and would do no harm to the children (whom nobody seems to think of!) neither you cause that $deity damn global warming. Good person. Good.

Beer, it's lunch time here and carnival ended yesterday. I'm in Brazil btw. OH MY! I LEFT MY GEOLOCATION ON EL REG! (as if they don't have the IP address I'm using right now)

0
0
Gold badge

XSS?

I suppose that since they need to ensure that seamless scripting across google, analytics, 1e100 (is that right?), Old Uncle Tom Cobbley and all works without any issues, they're always going to have to leave a few doors open that would be far better slammed shut and heavily bolted.

Or am I missing something here?

1
0

Be afraid...

No, you're not missing anything, the chocolate factory is going the way of MickySoft and creating one big humongous über ap mess with security flaws between the aps just because its easier to code it that way, rather than having a set separate 'secure' aps.

What's next, targeted ads in the gmail you send where the recipient of the email gets targeted ads base on their browsing history?

Time to find a new email server I think

0
0
Anonymous Coward

tut tut

I'm shocked that a big company like Google would allow it's geolocation vulnerability to come with a bug causing it to act like a social networking site.

0
0
This topic is closed for new posts.