Google Gadgets an Open Door for Attack

Advertisement (Why?)

Gadget lovers were dealt a blow on Wednesday when two researchers outlined what they called a "hole" during a Black Hat presentation. "The attacker can forcibly install Google Gadgets; they can read the victim's search history once a malicious gadget has been installed in some specific circumstances; they can attack other Google Gadgets; they can phish usernames and passwords from victims, and so on," said Robert Hansen, also known as RSnake, a founder of security consultancy SecTheory. "Really, the sky is the limit, once the browser is under the control of an attacker. And that point is exacerbated by the fact that people trust Google be a trustworthy domain, making the attacks even easier."

Hansen said that users who are most vulnerable to attack are those who use Google and specifically Gmail since the Web-based e-mail service requires them to be logged in. The attack relies on users intentionally adding modules themselves; a user may be tricked into adding malicious Google modules to his iGoogle homepages. "These users are almost all using javascript and normal Web browsers, making them easing pickings for many different classes of attack," he added.

View: Full Story at InfoWorld

#1 markjensen on 08 Aug 2008 - 18:30

The attack relies on users intentionally adding modules themselves

Well, that seems to be the common first step for most exploits.

However, I find it unacceptable that one gadget would be allowed to add more, and snoop/interfere with others. In some cases, a user might want a new gadget to read his/her calendar. But there should be some privacy/isolation set as default, and the user must authorize a link.

This sounds like a free-for-all once installed.

#2 BilliShere on 08 Aug 2008 - 18:38

good thing i never installed google gadgets on my ubuntu. lol.

#3 jwjw1 on 08 Aug 2008 - 18:58

Hansen said that users who are most vulnerable to attack are those who use Google and specifically Gmail

seems maybe MS is behind this attack.....LOLOL!...I bet users of Hotmail and MSN Search are safe

#4 guruparan on 08 Aug 2008 - 19:52

"by the fact that people trust Google be a trustworthy domain" ---No one will ever say this

It will be a Search-worthy domain

Last edited by guruparan on 08 Aug 2008 - 20:05

#5 +shinji257 on 08 Aug 2008 - 21:57

Actually I primary use google for not only searching but also email at this point. I have my own domain email but it is really gmail in the end. I'm kinda worried about this exploit however i also disabled the start page functionality.

(4 replies) #6 +M2Ys4U on 08 Aug 2008 - 22:55

TL;DR: Only install applications, gadgets, widgets etc. that you can trust, not everything under the sun.

#6.1 Guol on 09 Aug 2008 - 12:38

And how are you supposed to determine what is 'trustworthy' and what is not?

#6.2 +M2Ys4U on 10 Aug 2008 - 06:57

(Guol said @ #6.1)

How do you determine anything is trustworthy?

#6.3 toadeater on 11 Aug 2008 - 04:34

(M2Ys4U said @ #6.2)

If it phones home or autoupdates it's not trustworthy.

#6.4 markjensen on 11 Aug 2008 - 11:47

(toadeater said @ #6.3)

You mean like Mozilla Firefox?
http://www.neowin.net/forum/index.php?showtopic=645847

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Neowin.net