News
Analyst: Beware of the Google Gadgets
One fun thing about the interactive world of Web 2.0 is the online applications
you can take advantage of, such as Google Gadgets.
Google describes Gadgets as "miniature objects that offer cool and dynamic
content that can be placed on any page on the Web. They're free and available
for you to add to any Webpage that you own," including personalized Google
properties such as iGoogle and Google Desktop.
However, one person's cool functionality can be another's security
vulnerability.
"The architecture right now is highly insecure," said Tom Stracener,
a senior analyst with the application security company Cenzic Inc. of Santa
Clara, Calif. "It is not clear to me that Google Gadgets have been adopted
in a widespread fashion," but they are being used by people without a
lot of security awareness or expertise. "The current environment is high-risk,"
Stracener added.
Stracener and security consultant Robert Hansen -- known to the online world
as "Rsnake" -- demonstrated some malicious exploits for Gadgets,
such as internal port scanning and JavaScript hacks, at this week's Black
Hat Briefings security conference.
"I love being on the bleeding edge of what's coming next" in the world of security
threats, Stracener said. And one of the things coming next might be "Gmalware"
-- Gadgets optimized for evil instead of good.
There are thousands of Gadgets available and most of them tend to be basic
and innocuous, such as calendars, to-do lists and photo displays. Also, there
are some more serious applications for accessing financial programs or making
online transactions. This area has not taken off yet, but Google is offering
seed money for development of transactional applications for the platform, according
to Stracener.
"Google Gadgets are designed with an open architecture so that anyone
can produce them," he said. He called the Google vision "revolutionary,"
but said that as in much of the rest of the online world, functionality is being
promoted before security. "The net result is that unless you look at a
Gadget's code, you can't be sure what it is doing."
Some examples of what it could be doing were presented as proof-of-concept
exploits developed by Stracener and Hansen. One of Stracener's first Gadget
exploits was a calendar that would read the user's clipboard periodically
and export the data. That one took advantage of an Internet Explorer 6 vulnerability
that no longer is available.
Hansen developed a Gadget that would probe other Gadgets and steal information
from them. Other Gadgets could be used to spider internal Web pages. There is
one that could be used to perform cross-site request forgery, sending the user
to a malicious page where malware could be uploaded or log-in credentials captured.
A variation of this could log a user into an attacker's account when logging
onto a personalized iGoogle page.
"That's a fairly significant privacy exposure," Stracener
said.
Google Gadget exploits have not been found in the wild, and Stracener and Hansen
describe the attacks they demonstrated as largely theoretical because the exploits
do not pose a great risk to sensitive information at this point. However, wider
adoption of more powerful Gadgets could create more significant exposures.
Stracener said that although the current architecture is risky, Google is responding
to reports of vulnerabilities. It could take a while to fix all of the problems,
however. Although some fixes will be simple, others might require more fundamental
changes in the architecture.
About the Author
William Jackson is the senior writer for Government Computer News (GCN.com).