back to article Google Buzz bug exposes user geo location

Already besieged by complaints of shoddy user privacy, Google Buzz is was susceptible to exploits that allow an attacker to commandeer accounts and even learn where victims are located, a security researcher said Tuesday. The XSS, or cross-site scripting, vulnerability is unusual because it affects google.com, the domain that …

COMMENTS

This topic is closed for new posts.
  1. Tony Hoyle
    WTF?

    How is this a flaw?

    The whole point of buzz is geo location.. it even lists its 'buzzes' in geo order not time order - along with the location and a link to pinpoint the user on google maps.

    I don't think much of a flaw that allows you to use the service as it's meant to be used!

  2. Anonymous Coward
    FAIL

    Time to act?

    Withdraw Buzz

  3. Anonymous Coward
    Black Helicopters

    Oh great ....

    ... now the satellites can keep track of the black helicopters.

    Synergy on a whole new level.

  4. Dayjo
    Big Brother

    Meh.. so what?

    Twitter, Facebook, Myspace and the likes have all had countless bugs in their systems.. it happens to us all! if people are so worried about their information on the internet .. don't bloody put it on the internet.

    1. Florence

      I signed up for email, not for twitbook

      So what? I signed up for Gmail as a webmail provider - now they've added this Buzz thing I never asked for, that I cannot turn off. I can stop it from being displayed in Gmail - but that doesn't mean people can't follow me.

      As a mail user only this only means extra vulnerabilities in my Gmail account as well as time wasted to try and ensure my info doesn't go public.

      1. Uncle Slacky Silver badge
        Stop

        Er, you *can* turn it off

        http://www.metro.co.uk/tech/812817-how-do-i-turn-off-google-buzz

        HTH

      2. Rob Thorley
        Go

        Buzz Can Be Switched off

        Go to the bottom of GMail, just above c2010 Google, 'turn off Buzz'.

        Go on, you know you want to...

        1. Florence

          That's actually new

          This article has been updated :

          http://mail.google.com/support/bin/answer.py?hl=en&answer=171460

          A couple of days ago it still said that "turn off buzz" only removed the Buzz entry in Gmail but it did not disable it.

          The lines about removing your profile first are very recent.

          It's also worth noting that even if you delete your profile, if you have made any posts on anyone's Buzz page, these posts will remain unless you go and remove them manually first....

          You didn't seriously think it was that simple did you??

  5. ZenCoder
    Thumb Up

    bad press = bugs fixed

    You need stories shaming sites for dropping the ball on security, otherwise the fix won't be a priority. If its not fixed by now I bet its fixed this time tomorrow.

  6. David Neil
    Pirate

    His nickname

    "RSnake"

    Really, he's never said this out loud...

    Sounds like a gay pron star

  7. Smokey Joe

    Whuuuttt?

    Google's geolocation abilities, now built into their apps to show just how cool they are, are being exploited nefariously?

    Well I never!

  8. marschw

    Hmm...

    "[...]and there are no indications the flaw has been exploited, he said."

    Except, I assume it was exploited by TrainReq in order to report the vulnerability, so it's been exploited at least once. I mean, you need to know that it actually happens before you report it. So, in other words, there is a vulnerability, and Google thinks it hasn't been exploited, even though it has.

    1. Anonymous Coward
      FAIL

      RE: marschw

      ...by that logic, nothing has a 100% safety record - simply because during testing etc

  9. Flodge
    Black Helicopters

    Google Ate My Children

    What is it with El Reg and Google? Have they p!ssed in your kettle or what?

    Why don't you just rename your domain wehategoogletheyaretrulyevil.co.uk?

    Oh my lordy, I was buzzing yesterday and today. That'll have given away my geolocation and the people in the black helicopters will now be able to find me and use my credit card details to buy their fuel. Hide under the desks until they go away.

    Security lapse my @rse. I warn you, you're beginning to sound silly.

    As I said to the MS salesman who failed to persuade me to live.com instead of Google Apps: "The good news is, you're not paranoid. The bad news is, because everyone is out to get you."

    1. Renato
      Pint

      El Reg

      Well, sir, this is El Reg. AKA We bash anyone.

      If this respectable organisation were to buy this "wehategoogletheyaretrulyevil.co.uk" domain, it would need to buy "wehateappletheyaretrulyevil.co.uk", "wehatemicrosofttheyaretrulyevil.co.uk", "wehatehptheyaretrulyevil.co.uk" and so on.

      Back in topic, well, surely you are a good person and would do no harm to the children (whom nobody seems to think of!) neither you cause that $deity damn global warming. Good person. Good.

      Beer, it's lunch time here and carnival ended yesterday. I'm in Brazil btw. OH MY! I LEFT MY GEOLOCATION ON EL REG! (as if they don't have the IP address I'm using right now)

  10. TeeCee Gold badge

    XSS?

    I suppose that since they need to ensure that seamless scripting across google, analytics, 1e100 (is that right?), Old Uncle Tom Cobbley and all works without any issues, they're always going to have to leave a few doors open that would be far better slammed shut and heavily bolted.

    Or am I missing something here?

    1. Field Marshal Von Krakenfart

      Be afraid...

      No, you're not missing anything, the chocolate factory is going the way of MickySoft and creating one big humongous über ap mess with security flaws between the aps just because its easier to code it that way, rather than having a set separate 'secure' aps.

      What's next, targeted ads in the gmail you send where the recipient of the email gets targeted ads base on their browsing history?

      Time to find a new email server I think

  11. Anonymous Coward
    Anonymous Coward

    tut tut

    I'm shocked that a big company like Google would allow it's geolocation vulnerability to come with a bug causing it to act like a social networking site.

This topic is closed for new posts.

Other stories you might like

  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading
  • It's a crime to use Google Analytics, watchdog tells Italian website
    Because data flows into the United States, not because of that user interface

    Updated Another kicking has been leveled at American tech giants by EU regulators as Italy's data protection authority ruled against transfers of data to the US using Google Analytics.

    The ruling by the Garante was made yesterday as regulators took a close look at a website operator who was using Google Analytics. The regulators found that the site collected all manner of information.

    So far, so normal. Google Analytics is commonly used by websites to analyze traffic. Others exist, but Google's is very much the big beast. It also performs its analysis in the USA, which is what EU regulators have taken exception to. The place is, after all, "a country without an adequate level of data protection," according to the regulator.

    Continue reading
  • UK competition watchdog seeks to make mobile browsers, cloud gaming and payments more competitive
    Investigation could help end WebKit monoculture on iOS devices

    The United Kingdom's Competition and Markets Authority (CMA) on Friday said it intends to launch an investigation of Apple's and Google's market power with respect to mobile browsers and cloud gaming, and to take enforcement action against Google for its app store payment practices.

    "When it comes to how people use mobile phones, Apple and Google hold all the cards," said Andrea Coscelli, Chief Executive of the CMA, in a statement. "As good as many of their services and products are, their strong grip on mobile ecosystems allows them to shut out competitors, holding back the British tech sector and limiting choice."

    The decision to open a formal investigation follows the CMA's year-long study of the mobile ecosystem. The competition watchdog's findings have been published in a report that concludes Apple and Google have a duopoly that limits competition.

    Continue reading
  • Google recasts Anthos with hitch to AWS Outposts
    If at first you don't succeed, change names and try again

    Google Cloud's Anthos on-prem platform is getting a new home under the search giant’s recently announced Google Distributed Cloud (GDC) portfolio, where it will live on as a software-based competitor to AWS Outposts and Microsoft Azure Stack.

    Introduced last fall, GDC enables customers to deploy managed servers and software in private datacenters and at communication service provider or on the edge.

    Its latest update sees Google reposition Anthos on-prem, introduced back in 2020, as the bring-your-own-server edition of GDC. Using the service, customers can extend Google Cloud-style management and services to applications running on-prem.

    Continue reading
  • Google offers $118m to settle gender discrimination lawsuit
    Don't even think about putting LaMDA on the compensation committee

    Google has promised to cough up $118 million to settle a years-long gender-discrimination class-action lawsuit that alleged the internet giant unfairly pays men more than women.

    The case, launched in 2017, was led by three women, Kelly Ellis, Holly Pease, and Kelli Wisuri, who filed a complaint alleging the search giant hires women in lower-paying positions compared to men despite them having the same qualifications. Female staff are also less likely to get promoted, it was claimed.

    Gender discrimination also exists within the same job tier, too, the complaint stated. Google was accused of paying women less than their male counterparts despite them doing the same work. The lawsuit was later upgraded to a class-action status when a fourth woman, Heidi Lamar, joined as a plaintiff. The class is said to cover more than 15,000 people.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Brave Search leaves beta, offers Goggles for filtering, personalizing results
    Freedom or echo chamber?

    Brave Software, maker of a privacy-oriented browser, on Wednesday said its surging search service has exited beta testing while its Goggles search personalization system has entered beta testing.

    Brave Search, which debuted a year ago, has received 2.5 billion search queries since then, apparently, and based on current monthly totals is expected to handle twice as many over the next year. The search service is available in the Brave browser and in other browsers by visiting search.brave.com.

    "Since launching one year ago, Brave Search has prioritized independence and innovation in order to give users the privacy they deserve," wrote Josep Pujol, chief of search at Brave. "The web is changing, and our incredible growth shows that there is demand for a new player that puts users first."

    Continue reading

Biting the hand that feeds IT © 1998–2022