Google Gadgets an Open Door for Attack
Posted by Bezhou Feng on 08 August 2008 - 18:26 · 10 comments & 2765 views
About the Author
Full name: Bezhou Feng
Forum name: Sagittarius
Contact: via forum PM
Submissions: Normal · Headline
Full name: Bezhou Feng
Forum name: Sagittarius
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
#1 Posted by 
markjensen on 08 Aug 2008 - 18:30
- The attack relies on users intentionally adding modules themselvesWell, that seems to be the common first step for most exploits.
However, I find it unacceptable that one gadget would be allowed to add more, and snoop/interfere with others. In some cases, a user might want a new gadget to read his/her calendar. But there should be some privacy/isolation set as default, and the user must authorize a link.
This sounds like a free-for-all once installed.
-
#2 Posted by BilliShere on 08 Aug 2008 - 18:38
- good thing i never installed google gadgets on my ubuntu. lol.
-
#3 Posted by jwjw1 on 08 Aug 2008 - 18:58
-
Hansen said that users who are most vulnerable to attack are those who use Google and specifically Gmail
seems maybe MS is behind this attack.....LOLOL!...I bet users of Hotmail and MSN Search are safe
-
#4 Posted by guruparan on 08 Aug 2008 - 19:52
- "by the fact that people trust Google be a trustworthy domain" ---No one will ever say this
It will be a Search-worthy domain
Last edited by guruparan on 08 Aug 2008 - 20:05
-
#5 Posted by shinji257 on 08 Aug 2008 - 21:57
- Actually I primary use google for not only searching but also email at this point. I have my own domain email but it is really gmail in the end. I'm kinda worried about this exploit however i also disabled the start page functionality.
-
(4 replies)
#6 Posted by +M2Ys4U on 08 Aug 2008 - 22:55
- TL;DR: Only install applications, gadgets, widgets etc. that you can trust, not everything under the sun.
-
#6.1 Posted by Guol on 09 Aug 2008 - 12:38
- And how are you supposed to determine what is 'trustworthy' and what is not?
-
#6.2 Posted by +M2Ys4U on 10 Aug 2008 - 06:57
- (Guol said @ #6.1)And how are you supposed to determine what is 'trustworthy' and what is not?
How do you determine anything is trustworthy? -
#6.3 Posted by toadeater on 11 Aug 2008 - 04:34
- (M2Ys4U said @ #6.2)(Guol said @ #6.1)And how are you supposed to determine what is 'trustworthy' and what is not?
How do you determine anything is trustworthy?
If it phones home or autoupdates it's not trustworthy. -
#6.4 Posted by markjensen on 11 Aug 2008 - 11:47
- (toadeater said @ #6.3)If it phones home or autoupdates it's not trustworthy.
You mean like Mozilla Firefox?
http://www.neowin.net/forum/index.php?showtopic=645847
Hansen said that users who are most vulnerable to attack are those who use Google and specifically Gmail since the Web-based e-mail service requires them to be logged in. The attack relies on users intentionally adding modules themselves; a user may be tricked into adding malicious Google modules to his iGoogle homepages. "These users are almost all using javascript and normal Web browsers, making them easing pickings for many different classes of attack," he added.