A common Web programming error could give hackers a way to take over Google
Buzz accounts, a security expert said Tuesday.
The flaw is a "medium-sized problem" with the Buzz for Mobile Web site, said
Robert Hansen, CEO of SecTheory, who first reported the issue.
This type of Web programming error, called a cross-site scripting flaw, lets
the attacker put his own scripting code into Web pages that belong to trusted
Web sites such as Google.com. It is a fairly common flaw but one that can have
major consequences when exploited on widely used Web sites.
The attacker "can force you to say things you don't want to say, to follow
people," he said. "Whatever Google Buzz allows you to do, it allows him to do to
you."