Results 1 to 4 of 4

Thread: Google Buzz xss

  1. #1
    HYBR|D
    Guest

    Smile Google Buzz xss

    Just thought i'd mention that Google Buzz thing had a xss flaw.

    Here is the string for the flaw.

    https://m.google.com/app/buzz#~buzz:...w=search&bmb=1
    you will need to "spoof" your user agent string to get it working.

    Theres also a fresh write up over at ha.ckers.org



    There’s four things of note here. Firstly it’s on Google’s domain, not some other domain like Google Gadgets or something. So yes, it’s bad for phishing and for cookies. Secondly, it’s over SSL/TLS (so no one should be able to see what’s going on, right?). Third, it could be used to hijack Google Buzz - as if anyone is using that product (or at least you shouldn’t be). And lastly isn’t it ironic that Google is asking to know where I am on the very same page that’s being compromised? Why on earth does Google think its systems are secure enough to trust them with that kind of sensitive information? Yes, bad guys can figure out where you’re located if you allow that function. Chinese dissidents beware! But if you have something to hide, you must be a bad guy, right, Eric?
    & here's the Original thread over at DG

    I figured that since were on a Security site i may as well start a thread and get some sort of dicussion happening about this.
    Last edited by HYBR|D; February 17th, 2010 at 03:59 PM. Reason: Yeah the hole "Should" be patched by now ;)

  2. #2
    Senior Member JPnyc's Avatar
    Join Date
    Jan 2005
    Posts
    2,734
    Google buzz? Never heard of it.

  3. #3
    HYBR|D
    Guest
    Joe, it is meant to be twitter / facebook to social networking rolled into 1. I personally haven't spent much time on it, kind of find the whole social networking boring. I prefer rocking up at friends houses at all hours of the morning causing a ruckus.


    A Article from Computer World about this "incident"

    A common Web programming error could give hackers a way to take over Google Buzz accounts, a security expert said Tuesday. The flaw is a "medium-sized problem" with the Buzz for Mobile Web site, said Robert Hansen, CEO of SecTheory, who first reported the issue.
    This type of Web programming error, called a cross-site scripting flaw, lets the attacker put his own scripting code into Web pages that belong to trusted Web sites such as Google.com. It is a fairly common flaw but one that can have major consequences when exploited on widely used Web sites.
    The attacker "can force you to say things you don't want to say, to follow people," he said. "Whatever Google Buzz allows you to do, it allows him to do to you."
    Because attackers can use the flaw to put their content on the Google.com domain, they could also create phishing attacks against Google users, Hansen said.
    "If they left this unpatched, it could be horrible for any user of the site," he said. "It could easily be used to convince people that they're typing something into a valid Google sign-on page when they're really not."
    The bug was discovered by a hacker known as TrainReq, who e-mailed Hansen details of the flaw without explanation. TrainReq is best known for posting photos stolen from pop star Miley Cyrus' e-mail account to the Internet.
    Reached Tuesday afternoon Pacific Time, a Google spokesman confirmed that the company was working to fix the issue and predicted that it would be finished within a few hours.
    "We're aware of a vulnerability that could affect users of Google Buzz for mobile, and we are now pushing a fix," spokesman Jay Nancarrow said via e-mail. "We have no indication that the vulnerability is being actively abused."
    Launched last week, Google Buzz was blasted by some for automatically publishing lists of users' Gmail contacts with little notification. The company is making some changes this week to help alleviate those concerns.
    However, the security flaw underscores another important issue, said Hansen, a vocal Google critic. "Google really can't be trusted with sensitive information because they can't protect their own applications."

    http://www.computerworld.com/s/artic...?taxonomyId=17

  4. #4
    Senior Member JPnyc's Avatar
    Join Date
    Jan 2005
    Posts
    2,734
    So two useless things combined into one = an even bulkier useless thing?

Similar Threads

  1. Google vs eBay
    By Egaladeist in forum General Computer Discussions
    Replies: 1
    Last Post: October 28th, 2005, 04:49 AM
  2. Befriending Google
    By ch4r in forum Other Tutorials Forum
    Replies: 2
    Last Post: January 21st, 2005, 02:53 PM
  3. Google as a Hacking Tool
    By 3rr0r in forum The Security Tutorials Forum
    Replies: 26
    Last Post: December 1st, 2004, 06:31 AM
  4. Google is watching you...
    By MrLinus in forum Web Security
    Replies: 13
    Last Post: August 7th, 2004, 04:13 PM
  5. Article about our loved Google...
    By -DaRK-RaiDeR- in forum AntiOnline's General Chit Chat
    Replies: 0
    Last Post: December 22nd, 2002, 07:21 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •