Google Buzz gets security fix

A flaw in the messaging and social-networking service had the potential to allow attackers to compromise user accounts
Written by Tom Espiner, Contributor on

Google has fixed a security flaw that had the potential to allow a hacker to compromise Google Buzz accounts.

The cross-site scripting flaw in the mobile version of Google's messaging and-social networking application was put right soon after it was reported, the company said in a statement on Wednesday.

"We fixed a vulnerability that could have affected users of Google Buzz for mobile on 16 February, hours after it was reported to us," Google said. "We have no indication that the vulnerability was actively abused. We understand the importance of our users' security, and we are committed to further improving the security of Google Buzz."

A source close to Google said the flaw would not have allowed an outsider access to Gmail or Google Docs.

The flaw was made public on Tuesday by Robert Hansen, chief executive of SecTheory, a network security firm. Hansen said in a blog post that the flaw in the m.google.com platform was an example of "bad input validation/output encoding" that could have been used to hijack Buzz accounts, insert malicious script into Google web pages, or create phishing pages within Google's domain.

The flaw was found by security researcher 'TrainReq', who said in a reply to Hansen's blog post that the vulnerability lay in the way HTTP post headers could be edited.

Since its launch on 9 February, Google Buzz has come under attack over privacy concerns, and the company has made changes in response to complaints from users that the default set-up made it difficult to keep their contact list from being exposed.

Editorial standards