Users who are still displaying their Google Buzz following / follower list on their Google profiles are leaving themselves open to spammers and, potentially, sophisticated phishing attacks.

It's a good thing that Google responded to the great Google Buzz Privacy Freakout of February 2010 by making the more invasive features of the service opt-in. In addressing those concerns, Google also clamped down on what could have been a windfall for spammers, reports a paper (.pdf) delivered on April 13 at Social Network Systems 2010 conference in Paris.

Unfortunately, some early adopters of the service, and those who have decided to share their follower/followed list on their Google profiles, are still leaving themselves open.

The exploit, revealed by Mohamed Kaafar and Pere Manils of the French National Institute for Research in Computer Science and Control, capitalizes on the fact that when Google Buzz was first rolled out, Buzz came with a list of everyone users were following and being followed by, and this information was displayed on their Google profile. The lists were automatically populated by links to the profiles of the Buzz users with whom they corresponded most often.

Simply by starting at a random selection of Google Profiles and downloading those users' complete list of followers / followings, Kaafar and Manils were able to recursively walk through a directory of millions of Google Buzz users, accumulating four million profiles in the span of 30 hours using nothing but a single dual-core PC hooked up to a high speed internet connection.

Credit: Flickr user andio4uio / CC BY 2.0

Because of the conventions of Google Profiles, all of the profiles the researchers gathered in this way either ended in or redirected to a URL that included the username of the user being targeted, which is the same as that user's Gmail e-mail address. Thus, in just a few steps, spammers could determine a user's actual e-mail address, associate it with their user profile (which might contain other information about them) and create a social graph of all the other Buzz / Profile users to whom that user is connected.

The result was a list of e-mail addresses that would be especially valuable to spammers, because a second stage of the researcher's automated algorithm was able to verify that 96 percent of the e-mail addresses harvested were valid and active. (Often spammers will send e-mail to lists where only a fraction of the e-mail addresses are active, since there is almost no penalty for sending spam to addresses that are not.)

Since the launch of Buzz, Google has made the display of followers / followings on Google Profiles opt in instead of opt out, drastically reducing the number of users displaying this information. It's not known how many profiles are currently displaying these lists, but when the researchers conducted their attack soon after the launch of Buzz, 72 percent of the profiles they gathered were displaying them.

Now that Google has made listing followers opt-out Buzz may have acquired a sort of "herd immunity" whereby an overwhelming majority of profiles with public lists are no longer sufficiently interconnected to make this exploit as successful as its trial run.

A simple work-around, however, would be a brute-force approach where spammers randomly search Google profiles, trawling for any that still have public lists of follower / followings.

The researchers also revealed a new kind of phishing attack made possible by the detailed information available in the graph of social connections present in the database of four million Google Buzz profiles they were able to harvest.

Imagine receiving an e-mail like this, which is the example given in their paper:

From: Y@domain.com

To: X@gmail.com

Subject: great photos!

Body: Hi X-name, check out these photos of X-friend-1 and X-friend-2's trip to Hawaii.

(embedded malicious link or attachment)

This, they argue, is the full potential of phishing attacks empowered not only with data like your name and e-mail address, but also the names and contact information of others on your social graph.

Updated 18/05/10, 10.30am:

After posting, Google contacted me to say that Gmail usernames for corresponding Google Profiles are notdiscoverable via the follower/following lists on Buzz user profiles. It's not clear whether the confusion is on the part of the researchers involved, or if this is a security hole that has since been patched.

In any event, the vulnerability still remains for 1/3 of users of Google Profiles. According to a spokesperson for the company, "approximately one-third of all Google Profile users have opted to display their Gmail username in their profile URL instead of an obfuscating string of numbers."