Skip to main content

Google Buzz Flaw Could Give Hackers Control

Google has come under fire since the debut of its "Buzz" service last week. The company launched the "Twitter-killer" with the intent of providing a social networking experience, but instead exposed the email addresses and physical locations of its participants.

Although the search giant jumped in and overhauled the default settings to avoid privacy act violation issues, Google now faces a probe by the Office of the Privacy Commissioner of Canada (story).

But consumer privacy isn't Google's only Buzz-related issue. TrainReq, the hacker known for cracking open Miley Cyrus' email account and retrieving unpublished photos, discovered a flaw that would allow hackers to control the mobile version of Google Buzz.

According to Robert Hansen, CEO of SecTheory, a cross-site scripting flaw allows a hacker to insert custom scripting code into webpages belonging to Google and other trusted websites. This means that pages residing within Google's secure domain can lead users to malware or scareware.

Google was informed of the security flaw late Tuesday evening. "We're aware of a vulnerability that could affect users of Google Buzz for mobile, and we are now pushing a fix," spokesman Jay Nancarrow told PCWorld via e-mail. "We have no indication that the vulnerability is being actively abused."

Nancarrow predicted that the fix would be implemented within a few hours. However, due to recent issues, is it even safe to use Google Buzz? As one Google critic pointed out, the company can't be trusted with sensitive information "because they can't protect their own applications."

Perhaps users should stick to Twitter and Facebook for now.