Google Buzz gets security fix

Summary:A flaw in the messaging and social-networking service had the potential to allow attackers to compromise user accounts

Google has fixed a security flaw that had the potential to allow a hacker to compromise Google Buzz accounts.

The cross-site scripting flaw in the mobile version of Google's messaging and-social networking application was put right soon after it was reported, the company said in a statement on Wednesday.

"We fixed a vulnerability that could have affected users of Google Buzz for mobile on 16 February, hours after it was reported to us," Google said. "We have no indication that the vulnerability was actively abused. We understand the importance of our users' security, and we are committed to further improving the security of Google Buzz."

A source close to Google said the flaw would not have allowed an outsider access to Gmail or Google Docs.

The flaw was made public on Tuesday by Robert Hansen, chief executive of SecTheory, a network security firm. Hansen said in a blog post that the flaw in the m.google.com platform was an example of "bad input validation/output encoding" that could have been used to hijack Buzz accounts, insert malicious script into Google web pages, or create phishing pages within Google's domain.

The flaw was found by security researcher 'TrainReq', who said in a reply to Hansen's blog post that the vulnerability lay in the way HTTP post headers could be edited.

Since its launch on 9 February, Google Buzz has come under attack over privacy concerns, and the company has made changes in response to complaints from users that the default set-up made it difficult to keep their contact list from being exposed.

Topics: Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.