Google Buzz Gives Spammers a New Sweet Spot
Feb 11, 2010 11:51 AM PT
In general, Internet security experts become alarmed whenever a new social networking app looks like it is going to become the next big craze. "People already have so much information coming at them online and through their email boxes," said Gerry Egan, vice president of product development at Symantec.
The last thing we need is another vehicle to bombard us with spam or malware, he told the E-Commerce Times.
Buzz -- Google's newly introduced social networking application -- is already drawing some boos from security experts, particularly for its default setting.
One of the ways Google hopes to facilitate adoption is by pre-establishing users' social networks with Gmail address books. Buzz seeds the network with email addresses of contacts with whom the user appears to communicate the most.
If the user accepts the default setting, that list becomes available to other Buzz users.
The default setting automatically provides a list of followers comprised of those you chat or email with, Michael Sutton, VP of security research at Zscaler, told the E-Commerce Times.
The privacy risk is obvious.
"Everyone on your network can see who you communicate with," Sutton said. "Google says it takes addresses with whom you've recently had contact with, but we don't know exactly how the algorithm works."
It could be a contact from several months ago, for instance, which could make seeding that person in the network awkward. "I can see a scenario is which someone's network includes an ex-girlfriend -- someone your wife might not appreciate having there."
The potential for spam is also a problem. Spam has become endemic on social networks, Sutton noted -- and Google Buzz, if and when it reaches the same mass as Twitter or Facebook, will likely be similarly inundated.
"The model we have been seeing is that 'someone' posts a Twitter message that contains a link to malware. Certainly the same thing can and likely will develop with Buzz. What I am saying, though, is that Google hasn't created a new security issue with this site because email addresses are so easy for spammers to get anyway. What it has done is roll it out in a way that creates more privacy issues than someone might realize at first."
Email addresses are easily harvested in many ways. "Auto-generators work just fine -- I get spammed a lot that way since my email address is a dictionary-based one," said Sean Sullivan, F-Secure security advisor for North America.
It is also routine for bots to break into machines and suck them out, he told the E-Commerce Times, noting that "getting email addresses from the cloud would be an extra step for a spammer that isn't necessary."
Still a Danger
While Buzz is unlikely to attract generic bots or spammers, it is possible a spammer would be interested in using it to validate an email address, Mike Geide, senior security researcher at Zscaler, suggested in a blog post.
"As a spammer, one could create a network of Gmail accounts connected to Buzz and follow a large number of users, follow their followers, etc," he wrote. The spammer would then harvest user names for those being followed, and do its best to guess at their email address and start sending test messages. "Once a successful guess has occurred, the email address will then be exposed in the Buzz interface validating that the email address exists and is tied to that user."
Buzz will likely be yet another vulnerable spot on the Internet, said Tom Helou, president and COO of Authenware.
"In the industry's haste to create the next 'Big Thing' for users, our analysis shows that securing the information passed through these sites suffers," he told the E-Commerce Times. "What results is a one-stop-shop for even amateur hackers to create an imitation identity and get access to sensitive information."