Already besieged by complaints of shoddy user privacy, Google Buzz is was susceptible to exploits that allow an attacker to commandeer accounts and even learn where victims are located, a security researcher said Tuesday. The XSS, or cross-site scripting, vulnerability is unusual because it affects google.com, the domain that …
How is this a flaw?
The whole point of buzz is geo location.. it even lists its 'buzzes' in geo order not time order - along with the location and a link to pinpoint the user on google maps.
I don't think much of a flaw that allows you to use the service as it's meant to be used!
Time to act?
Oh great ....
... now the satellites can keep track of the black helicopters.
Synergy on a whole new level.
Meh.. so what?
Twitter, Facebook, Myspace and the likes have all had countless bugs in their systems.. it happens to us all! if people are so worried about their information on the internet .. don't bloody put it on the internet.
I signed up for email, not for twitbook
So what? I signed up for Gmail as a webmail provider - now they've added this Buzz thing I never asked for, that I cannot turn off. I can stop it from being displayed in Gmail - but that doesn't mean people can't follow me.
As a mail user only this only means extra vulnerabilities in my Gmail account as well as time wasted to try and ensure my info doesn't go public.
Er, you *can* turn it off
Buzz Can Be Switched off
Go to the bottom of GMail, just above c2010 Google, 'turn off Buzz'.
Go on, you know you want to...
That's actually new
This article has been updated :
A couple of days ago it still said that "turn off buzz" only removed the Buzz entry in Gmail but it did not disable it.
The lines about removing your profile first are very recent.
It's also worth noting that even if you delete your profile, if you have made any posts on anyone's Buzz page, these posts will remain unless you go and remove them manually first....
You didn't seriously think it was that simple did you??
bad press = bugs fixed
You need stories shaming sites for dropping the ball on security, otherwise the fix won't be a priority. If its not fixed by now I bet its fixed this time tomorrow.
Really, he's never said this out loud...
Sounds like a gay pron star
Google's geolocation abilities, now built into their apps to show just how cool they are, are being exploited nefariously?
Well I never!
"[...]and there are no indications the flaw has been exploited, he said."
Except, I assume it was exploited by TrainReq in order to report the vulnerability, so it's been exploited at least once. I mean, you need to know that it actually happens before you report it. So, in other words, there is a vulnerability, and Google thinks it hasn't been exploited, even though it has.
...by that logic, nothing has a 100% safety record - simply because during testing etc
Google Ate My Children
What is it with El Reg and Google? Have they p!ssed in your kettle or what?
Why don't you just rename your domain wehategoogletheyaretrulyevil.co.uk?
Oh my lordy, I was buzzing yesterday and today. That'll have given away my geolocation and the people in the black helicopters will now be able to find me and use my credit card details to buy their fuel. Hide under the desks until they go away.
Security lapse my @rse. I warn you, you're beginning to sound silly.
As I said to the MS salesman who failed to persuade me to live.com instead of Google Apps: "The good news is, you're not paranoid. The bad news is, because everyone is out to get you."
Well, sir, this is El Reg. AKA We bash anyone.
If this respectable organisation were to buy this "wehategoogletheyaretrulyevil.co.uk" domain, it would need to buy "wehateappletheyaretrulyevil.co.uk", "wehatemicrosofttheyaretrulyevil.co.uk", "wehatehptheyaretrulyevil.co.uk" and so on.
Back in topic, well, surely you are a good person and would do no harm to the children (whom nobody seems to think of!) neither you cause that $deity damn global warming. Good person. Good.
Beer, it's lunch time here and carnival ended yesterday. I'm in Brazil btw. OH MY! I LEFT MY GEOLOCATION ON EL REG! (as if they don't have the IP address I'm using right now)
I suppose that since they need to ensure that seamless scripting across google, analytics, 1e100 (is that right?), Old Uncle Tom Cobbley and all works without any issues, they're always going to have to leave a few doors open that would be far better slammed shut and heavily bolted.
Or am I missing something here?
No, you're not missing anything, the chocolate factory is going the way of MickySoft and creating one big humongous über ap mess with security flaws between the aps just because its easier to code it that way, rather than having a set separate 'secure' aps.
What's next, targeted ads in the gmail you send where the recipient of the email gets targeted ads base on their browsing history?
Time to find a new email server I think
I'm shocked that a big company like Google would allow it's geolocation vulnerability to come with a bug causing it to act like a social networking site.