back to article Google Buzz bug exposes user geo location

Already besieged by complaints of shoddy user privacy, Google Buzz is was susceptible to exploits that allow an attacker to commandeer accounts and even learn where victims are located, a security researcher said Tuesday. The XSS, or cross-site scripting, vulnerability is unusual because it affects google.com, the domain that …

COMMENTS

This topic is closed for new posts.
  1. Tony Hoyle
    WTF?

    How is this a flaw?

    The whole point of buzz is geo location.. it even lists its 'buzzes' in geo order not time order - along with the location and a link to pinpoint the user on google maps.

    I don't think much of a flaw that allows you to use the service as it's meant to be used!

  2. Anonymous Coward
    FAIL

    Time to act?

    Withdraw Buzz

  3. Anonymous Coward
    Black Helicopters

    Oh great ....

    ... now the satellites can keep track of the black helicopters.

    Synergy on a whole new level.

  4. Dayjo
    Big Brother

    Meh.. so what?

    Twitter, Facebook, Myspace and the likes have all had countless bugs in their systems.. it happens to us all! if people are so worried about their information on the internet .. don't bloody put it on the internet.

    1. Florence

      I signed up for email, not for twitbook

      So what? I signed up for Gmail as a webmail provider - now they've added this Buzz thing I never asked for, that I cannot turn off. I can stop it from being displayed in Gmail - but that doesn't mean people can't follow me.

      As a mail user only this only means extra vulnerabilities in my Gmail account as well as time wasted to try and ensure my info doesn't go public.

      1. Uncle Slacky Silver badge
        Stop

        Er, you *can* turn it off

        http://www.metro.co.uk/tech/812817-how-do-i-turn-off-google-buzz

        HTH

      2. Rob Thorley
        Go

        Buzz Can Be Switched off

        Go to the bottom of GMail, just above c2010 Google, 'turn off Buzz'.

        Go on, you know you want to...

        1. Florence

          That's actually new

          This article has been updated :

          http://mail.google.com/support/bin/answer.py?hl=en&answer=171460

          A couple of days ago it still said that "turn off buzz" only removed the Buzz entry in Gmail but it did not disable it.

          The lines about removing your profile first are very recent.

          It's also worth noting that even if you delete your profile, if you have made any posts on anyone's Buzz page, these posts will remain unless you go and remove them manually first....

          You didn't seriously think it was that simple did you??

  5. ZenCoder
    Thumb Up

    bad press = bugs fixed

    You need stories shaming sites for dropping the ball on security, otherwise the fix won't be a priority. If its not fixed by now I bet its fixed this time tomorrow.

  6. David Neil
    Pirate

    His nickname

    "RSnake"

    Really, he's never said this out loud...

    Sounds like a gay pron star

  7. Smokey Joe

    Whuuuttt?

    Google's geolocation abilities, now built into their apps to show just how cool they are, are being exploited nefariously?

    Well I never!

  8. marschw

    Hmm...

    "[...]and there are no indications the flaw has been exploited, he said."

    Except, I assume it was exploited by TrainReq in order to report the vulnerability, so it's been exploited at least once. I mean, you need to know that it actually happens before you report it. So, in other words, there is a vulnerability, and Google thinks it hasn't been exploited, even though it has.

    1. Anonymous Coward
      FAIL

      RE: marschw

      ...by that logic, nothing has a 100% safety record - simply because during testing etc

  9. Flodge
    Black Helicopters

    Google Ate My Children

    What is it with El Reg and Google? Have they p!ssed in your kettle or what?

    Why don't you just rename your domain wehategoogletheyaretrulyevil.co.uk?

    Oh my lordy, I was buzzing yesterday and today. That'll have given away my geolocation and the people in the black helicopters will now be able to find me and use my credit card details to buy their fuel. Hide under the desks until they go away.

    Security lapse my @rse. I warn you, you're beginning to sound silly.

    As I said to the MS salesman who failed to persuade me to live.com instead of Google Apps: "The good news is, you're not paranoid. The bad news is, because everyone is out to get you."

    1. Renato
      Pint

      El Reg

      Well, sir, this is El Reg. AKA We bash anyone.

      If this respectable organisation were to buy this "wehategoogletheyaretrulyevil.co.uk" domain, it would need to buy "wehateappletheyaretrulyevil.co.uk", "wehatemicrosofttheyaretrulyevil.co.uk", "wehatehptheyaretrulyevil.co.uk" and so on.

      Back in topic, well, surely you are a good person and would do no harm to the children (whom nobody seems to think of!) neither you cause that $deity damn global warming. Good person. Good.

      Beer, it's lunch time here and carnival ended yesterday. I'm in Brazil btw. OH MY! I LEFT MY GEOLOCATION ON EL REG! (as if they don't have the IP address I'm using right now)

  10. TeeCee Gold badge

    XSS?

    I suppose that since they need to ensure that seamless scripting across google, analytics, 1e100 (is that right?), Old Uncle Tom Cobbley and all works without any issues, they're always going to have to leave a few doors open that would be far better slammed shut and heavily bolted.

    Or am I missing something here?

    1. Field Marshal Von Krakenfart

      Be afraid...

      No, you're not missing anything, the chocolate factory is going the way of MickySoft and creating one big humongous über ap mess with security flaws between the aps just because its easier to code it that way, rather than having a set separate 'secure' aps.

      What's next, targeted ads in the gmail you send where the recipient of the email gets targeted ads base on their browsing history?

      Time to find a new email server I think

  11. Anonymous Coward
    Anonymous Coward

    tut tut

    I'm shocked that a big company like Google would allow it's geolocation vulnerability to come with a bug causing it to act like a social networking site.

This topic is closed for new posts.

Other stories you might like