Google Gadgets Under Attack at Black Hat
Page 1 of 2
Google Gadgets are supposed to be easy-to-use components that enable users to put content and small applications wherever they want them. According to Tom Stracener a Cenzic Senior Security Analyst, Google Gadgets can also potentially be used as a platform for user exploitation.
In a presentation to be delivered at the Black Hat security conference, Stracener will explain in gory detail how gadgets can be used to attack other gadgets and ultimately end users. The impact could range from a loss of confidential information to arbitrary code execution. Google argues, however, that though any gadget could be a target for malware, the company is already actively taking precautions to protect users.
"One of the things that really characterizes Web 2.0 is the high interactivity between the user and other users as well as the application in sharing information," Stracener told InternetNews.com prior to his presentation. "These little microapplications like Google Gadgets are ideal for that. On the other hand if someone creates a gadget that is designed to trick the user, that's easy to do."
Google Gadgets can run on a user's iGoogle home page. They can also be put on any Web page and run on Google Desktop. Stracener has identified scenarios under which each type of gadget implementation -- whether running on Windows, Linux or a Mac -- could be exploited for malicious intent.
One scenario where a gadget could be harmful is if it is used as a platform for a phishing attack, in which the user is somehow lured to click on a bad link. There is also the potential for using gadgets for Cross Site Request Forgery (CSRF) attacks.
Stracener explained that the CSRF attack on gadgets involves a scenario where a user submits a form within one application, and it ends up taking an action on another Web site the user was not intending to take.
He noted that a CSRF attack could be particularly harmful if the user is logged in to a social networking site while running the malicious gadget. In that scenario the gadget could potentially steal the user's login credentials for the social networking site.
Next page: Risk of scripts