Exclusive: Google's latest Buzz privacy changes enable possible new exploit

As we discovered in our tests, when a user deletes her Google profile, certain information about her remains -- for instance, the photo from her Google account, and her screen name. For someone who legitimately wants to discontinue using Buzz and all other Google services, erasing the Google profile may be pointless. Even though Google appears to promise that a deleted profile is a destroyed one, traces of a user's activity could enable elements of that profile to be reconstructed. Apparently one key element survives the profile deletion: the list of people that a Buzz member is following.

But that points to a second problem, which may even be dangerous: Theoretically, a malicious user could leverage this situation to create a false Buzz identification that is not tied to any publicly searchable profile. That malicious user could then masquerade as someone whom the followed person knows, using only a name and perhaps a photo (that's optional anyway), both of which could be false. If the malicious user created a false Google profile with Buzz, and then de-activated Buzz, the false photo and name would remain associated with the Gmail account.

The fact that this element survives even before the public Google profile is reconstructed reveals certain characteristics of Buzz that we did not previously know:

• A Buzz user may follow others without a Google public profile. Even though Google states the creation of a public profile is necessary in order for a new user to enroll into Buzz, one certainly was not necessary for us to re-enroll an account into Buzz after de-activating it and deleting our test profile. As a result, if you find yourself using Buzz, you may discover that other individuals are following you whom you did not invite, and whose identities you cannot determine. In order to keep things simpler and more brief, let's call the malicious user trying to follow someone X, and the person being followed Y. At first, X's ID and photo (if he has one) is listed in Y's Gmail under Y's list of followers, even if X does not have a "public profile," and even if X elects not to share his list of followed contacts on his (non-existent) profile. Y can unfollow that person (assuming he's a person at all). However, if X does not have a public profile, all Y can see is the name and perhaps the photo. Therefore, it's possible that a "non-profiled" person can follow any Buzz user, not with complete stealth, but at least without being able to present his credentials first. And if he has set up his Gmail account under a false name and photo, then conceivably anyone may easily become followed without permission by someone else passing himself off as a friend. This, in our opinion, is dangerous -- perhaps even more so, theoretically, than the possibility of accidentally revealing one's contacts list during sign-up.
• Evidence exists that a user's Buzz activities in Google's database survive the deletion of her Google profile. Even without re-creating the Google profile, in our test, when we re-activated a once deactivated Buzz, it suggested (but did not automatically select) other Buzz members to follow. That list of suggestions (shown above) contained individuals to whom our test account had never sent a Gmail message, and from whom it had never received one, but who were previously followed under our Buzz account before we disabled it and deleted our test profile. That fact suggests that each user's Buzz activity is being stored at Google independently of that person's profile, so deactivating Buzz does not wipe one's slate clean.
• "Blocking" a follower can lead to a situation where the blocked follower can end up following that person anyway without being detected. Assume that X has no public profile, and is following Y. Y discovers X in her list of followers, so she blocks X. X is not notified -- in fact, X still thinks he's following Y. But he doesn't receive Y's updates, so he gets curious. X unfollows Y. Then X follows Y again. X is no longer blocked. What's more, not only is Y not notified that X is no longer blocked, she cannot see that X is following Y. Y appears in X's list of followed people, and X does not appear in Y's list of followers. What's more, X is not counted as one of the followers in Y's Buzz count; so if Y has three other followers besides X, Y's Gmail will read, "3 followers."

Two simultaneous dialog boxes from different Gmail accounts: X is informed he's following two people, one of whom is Y. Y believes she has blocked X, and Y is told that X is not following her. X does not have a public Google profile.

---

• An unprofiled Buzz user may be followed by anyone else without being notified. This is where you could say Y turns the tables on X: Assume once again that X has no public profile, and is following Y. Y discovers X and blocks X. Immediately afterward, Y follows X. X can continue to follow Y, and Y will not appear in X's list of followers. If X has not discovered yet that Y has blocked X, and X has not yet unfollowed and re-followed Y, then for the time being, X appears in Y's list of followed people, and Y does not appear in X's list of followers. However, X does have this one strange clue: Y is counted as one of the followers in X's Buzz count. So if X has no other followers besides Y, X's Gmail will read, "1 follower." However, when X clicks on that link, the dialog box that appears will read, "X has 0 followers."

In our initial tests last week, Betanews determined that it was indeed possible for a Buzz user to not have a public profile, and we explained why in one sense, this was a good thing. It made it possible for there to be a safeguard for new Buzz users to avoid inadvertently sharing her list of frequent Gmail contacts with other Buzz users.

But the addition of a system that enables a Buzz user to exit the service and come back with no profile at all, creates a new problem: It makes it easier for someone you don't want following you to falsify his identity. Betanews notified Google of our test results prior to the publication of this story.