Thursday, February 11, 2010

Google Buzz for Spammers


The Google Buzz sign-up is being advertised to users when logging into Gmail, and is a fairly transparent process to users with an existing Gmail account.

Clicking on “Sweet! Check out Buzz” brings you to your initial follower/follow back network of friends:

And as the privacy statement suggested, it automatically determined people who have communicated with me over Gmail and that joined Buzz to follow me. Similarly Buzz made suggestions on whom I should follow. From the Buzz privacy statement:

For me, the default web apps connected to Buzz were my public facing Picasa and Google Reader:

By default, (as stated in the Google Privacy statement) the list of people that I am following and the people following me will be publicly displayed on my profile.

As numerous folks have blogged about (e.g., CNET), this could be a privacy concern for users who do not want to share their social network with the world. As with other social networks, this could be used to gather intelligence on individuals, the corporations/organizations/groups they belong to, and could be used in targeted spear phishing or impersonation attacks. To the general user on the web however, many of the benefits of social networking out-weigh the risks.

In addition to these concerns, there are also a few other items that Google Buzz brings to the table for an attacker. One item in particular is email validation. I clicked on one of my co-worker's that was following me from his default setup for his Buzz profile … I was able to then see the people that he is following and those following him (again, default setting). The people in his social network that I had emailed in the past from my Gmail account have their email address exposed, those that I had not emailed in the past did not have this exposed.

A user with a Buzz account, means that they have a Gmail account, and the name visible in Buzz is often used in some form or another as the user's Gmail account. As a spammer, one could create a network of Gmail accounts connected to Buzz and follow a large number of users, follow their followers, etc. Harvest user names / alias names for those being followed, and do best guess attempts at guessing their email address and start sending test messages. Once a successful guess has occurred, the email address will then be exposed in the Buzz interface validating that the email address exists and is tied to that user.

The way this would likely work and scale for the spammer is through the creation of an automated Google Buzz bot or worm to build a list of followers and spider out to the followers of followers and so forth in order to harvest Gmail names / aliases to guess against and build an email spam list. The email validation not only validates that the email account is live, but validates that it is linked to the social network visible in Buzz. In other words, knowledge of that particular user's social network could also be used in an automated but more targeted spam campaign. For example, email subject "Hey I see you are friends with XYZ..." email body: "Here are some pictures of her that I thought you would get a kick out of: insert malicious link/attachment" (remind you of Koobface?).

Additionally, once a user is connected / followed in Buzz you can interact in other mediums besides email. This could be leveraged to bypass spam filters within Gmail. Gchat, Google Wave, Blogger, Google Reader, etc. are some examples of interactive mediums that Buzz provides its users.

No comments: