Google Buzz: socnet or spam magnet?

Privacy holes in Google Buzz could attract spammers.

Google is scrambling to patch the privacy holes in its Buzz application launched last week, hopefully before spammers turn the social network into a gold mine for their repugnant activities.

When introduced last Tuesday, the yawning flaws in Buzz could be seen in its privacy agreement.

“When you first enter Google Buzz,” it stated, “to make the startup experience easier, we may automatically select people for you to follow based on the people you email and chat with most.”

Assuming a user wants to “follow” someone just because they trade emails may have seemed convenient to Buzz designers, but in fact it’s a needless usurpation of a user’s ability to choose with whom he or she associates. Sure, automating who a user follows is a quick way to build a following list, but it actually adds hassle to the process as a user must manually scrutinize who he or she is following and weed out the deadwood.

But the boners get better. “Similarly,” the Buzz privacy statement continued, “we may also suggest to others that they automatically follow you.” Automatically putting the touch on people to follow a user based on the user’s Gmail address book is an expedient way to rapidly build a socnet without the fuss of inviting people to join individually. What the Buzz designers failed to fathom is that just because a user communicates frequently with someone in his or her address book doesn’t mean that user wants to share his or her every thought with that contact. What someone might divulge through a tweet or Facebook comment isn’t always something he or she may not want divulged to a frequent email correspondent like a client or boss. Facebook understood that from the start so it’s surprising that the savvy crew at Google could make such a blunder.

Granted, a user can block any of his or her followers but why should the onus be placed on the user to comb out unwanted followers from a list created by Google?

Those inconveniences to users, though, aren’t what will be percolating the interest of spammers in the new social network. It’s the availability of a new source of public information about millions of potential marks.

“Your name, photo, and the list of people you follow and people following you will be displayed on your Google profile, which is publicly searchable on the Web,” the Buzz statement said.

In addition to appearing on a public profile page, users also appear on pages of people they’re following or who are following them, if those people choose to make public their lists of followers or who’re they’re following.

These public lists of followers could be juicy morsels for Black Hats planning spear phishing or impersonation attacks. They could take a list of related followers and craft an enticing targeted message at them. When you consider that such an attack was used recently by Chinese crackers to break into Google’s treasure chest of data, you’d think the search giant would be a little more sensitive to that issue.

Buzz can also be used by spammers to validate email addresses. When a user checks the page of a follower and that follower allows the list of his or her followers to be public, the email addresses of those followers will appear on screen if the user has communicated with them in the past. A spammer could create a number of bogus Gmail accounts and use them to join Buzz. Then the junk mail perpetrator could follow a bunch of Buzz users, as well as the followers of those users. After collecting the user names of the followers, the spammer could begin making guesses about the email addresses of those followers. The junko artist will know when a valid email address has been created because it will be displayed on any Buzz member’s page with a public list that includes the owner of the email address as a follower.

Of course, the grunt work of gathering followers and followers of followers would be automated by spammers, as would be the trial and error testing needed to construct email addresses. As a bonus, a spammer could exploit the email addresses to perform targeted attacks on the members of a particular Buzz member’s network. Followers are likely to lower their guard if they believe a message asking them to open an attachment or click a link originates from someone they’re following.

Google appears to be just a little embarrassed by the Buzz debacle and, according to the BBC, has set up a “war room” to quickly address immediate and potential problems with the application.