The spam buzz on Google Buzz

Feb. 11, 2010

This morning I logged into Gmail to check my mail. Before I could read my messages, I was invited (along with most or all Gmail users) to join Google Buzz, which was rolled out on Tuesday. This is a new social networking tool that Google has created that seems to be part-Facebook, part-Twitter, part-Gmail and part-MySpace. With no time to spend at the moment looking into exactly what Google Buzz was, I hit OK to get through to my email and was notified that Google automatically networked me with 7 people. I just now had time to look back at it and apparently it networked me with some friends who were also Gmail users. Apparently they can see my profile photo (not my smiling face, by the way, but a photo of me flipping an 18-foot raft in a Grand Canyon rapid last summer) and post updates which I see.

What drew me back to look closer at Google Buzz was this blog post from Mike Geide, a researcher from cloud-computing security firm Zscaler, where Mike details a potential plan of attack on Google Buzz by spammers. Geide points out the wide-open default settings that do little to protect users' privacy. He concludes that:

As a spammer, one could create a network of Gmail accounts connected to Buzz and follow a large number of users, follow their followers, etc.Harvest user names / alias names for those being followed, and do best guess attempts at guessing their email address and start sending test messages.Once a successful guess has occurred, the email address will then be exposed in the Buzz interface validating that the email address exists and is tied to that user.

Mike, thanks for the warning on this, and to Google: Wake up and fix this buzzing privacy issue!