Google Buzz gets security fix

Google Buzz gets security fix

Summary: A flaw in the messaging and social-networking service had the potential to allow attackers to compromise user accounts

TOPICS: Security

Google has fixed a security flaw that had the potential to allow a hacker to compromise Google Buzz accounts.

The cross-site scripting flaw in the mobile version of Google's messaging and-social networking application was put right soon after it was reported, the company said in a statement on Wednesday.

"We fixed a vulnerability that could have affected users of Google Buzz for mobile on 16 February, hours after it was reported to us," Google said. "We have no indication that the vulnerability was actively abused. We understand the importance of our users' security, and we are committed to further improving the security of Google Buzz."

A source close to Google said the flaw would not have allowed an outsider access to Gmail or Google Docs.

The flaw was made public on Tuesday by Robert Hansen, chief executive of SecTheory, a network security firm. Hansen said in a blog post that the flaw in the platform was an example of "bad input validation/output encoding" that could have been used to hijack Buzz accounts, insert malicious script into Google web pages, or create phishing pages within Google's domain.

The flaw was found by security researcher 'TrainReq', who said in a reply to Hansen's blog post that the vulnerability lay in the way HTTP post headers could be edited.

Since its launch on 9 February, Google Buzz has come under attack over privacy concerns, and the company has made changes in response to complaints from users that the default set-up made it difficult to keep their contact list from being exposed.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to start the discussion