Google Gadgets are supposed to be easy-to-use components that enable users to put content and small applications wherever they want them. According to Tom Stracener a Cenzic Senior Security Analyst, Google Gadgets can also potentially be used as a platform for user exploitation.
In a presentation to be delivered at the Black Hat security conference, Stracener will explain in gory detail how gadgets can be used to attack other gadgets and ultimately end users. The impact could range from a loss of confidential information to arbitrary code execution. Google argues, however, that though any gadget could be a target for malware, the company is already actively taking precautions to protect users.
“One of the things that really characterizes Web 2.0 is the high interactivity between the user and other users as well as the application in sharing information,” Stracener told InternetNews.com prior to his presentation. “These little microapplications like Google Gadgets are ideal for that. On the other hand if someone creates a gadget that is designed to trick the user, that’s easy to do.”
Google Gadgets can run on a user’s iGoogle home page. They can also be put on any Web page and run on Google Desktop. Stracener has identified scenarios under which each type of gadget implementation — whether running on Windows, Linux or a Mac — could be exploited for malicious intent.
One scenario where a gadget could be harmful is if it is used as a platform for a phishing attack, in which the user is somehow lured to click on a bad link. There is also the potential for using gadgets for Cross Site Request Forgery (CSRF) attacks.
Stracener explained that the CSRF attack on gadgets involves a scenario where a user submits a form within one application, and it ends up taking an action on another Web site the user was not intending to take.
He noted that a CSRF attack could be particularly harmful if the user is logged in to a social networking site while running the malicious gadget. In that scenario the gadget could potentially steal the user’s login credentials for the social networking site.
Next page: Risk of scripts
Page 2 of 2
Risk of scripts
“Right now in Google Gadgets you can open arbitrary php scripts,” Stracener explained. “You could create a gadget that very discreetly took advantage of vulnerabilities in a user’s Web browser.”
Stracener noted that while some may argue that for users to be exploited they first have to actually choose a gadget that is malicious and install it. That’s not necessarily the case.
“If you can get a user to visit a page an attacker controls and you’re logged in, we can silently add a gadget to your iGoogle page,” Stracener claimed.
A Google Gadget deployed on a user’s desktop also potentially could have turned the user’s PC into a host for malware. Stracener alleged that he discovered a vulnerability whereby the malicious gadget could get a piece of malware stored on a user’s desktop for up to 30 days.
Google has already patched that particular vulnerability, according to Stracener.
“We reported it to Google, and they fixed it in under four weeks,” Stracener claimed. “They have the information on the types of attacks we’ll be presenting, and they’ve already fixed one of the problems — so we’re not blindsiding them on anything.”
Google, however, disagrees. “We were notified of the general nature of the presentation, but our engineers have not yet gotten full details of the talk,” a Google spokesperson wrote in an e-mail to InternetNews.com. “Google appreciates it when researchers practice responsible disclosure and give Google enough time and information to evaluate possible vulnerabilities, and fix them.”
The spokesperson added that security is an issue for all gadget providers, not just Google. The rep also noted that Google currently scans all gadgets created by developers for malware regularly.
“It is very rare to find gadgets that serve malware, but if it happens, we immediately blacklist the gadget, so it is not displayed to users,” the Google spokesperson said.
Whether or not Stracener properly disclosed his talk to Google or not, the risk to users may well be limited overall, at least for now.
Though the risks from gadgets are real, Stracener noted that the current impact is relatively low as he has yet to see any attacks in the wild on gadgets.
“Gadgets aren’t going away, but a lot the things that we’ll show are attacks that are very bad in a lab,” Stracener said. “But right now the risks are theoretical to the extent that gadgets aren’t being used in a widespread manner right now.”
Fundamentally the issue with gadgets as they currently exist is that they are an empowering tool for both good and malicious users.
“The attractiveness of gadgets is about giving users a powerful API to do great things,” Stracener commented. “But when you give them the full power of scripting apparatus, the more power you put in the hands of users the more you empower those with malicious intent.”