Analyst: Beware of the Google Gadgets

By William Jackson | One fun thing about the interactive world of Web 2.0 is the online applications you can take advantage of, such as Google Gadgets.

 

Google describes Gadgets as “miniature objects that offer cool and dynamic content that can be placed on any page on the Web. They’re free and available for you to add to any Webpage that you own,” including personalized Google properties such as iGoogle and Google Desktop.

However, one person’s cool functionality can be another’s security vulnerability.

“The architecture right now is highly insecure,” said Tom Stracener, a senior analyst with the application security company Cenzic Inc. of Santa Clara, Calif. “It is not clear to me that Google Gadgets have been adopted in a widespread fashion,” but they are being used by people without a lot of security awareness or expertise. “The current environment is high-risk,” Stracener added.

Stracener and security consultant Robert Hansen — known to the online world as “Rsnake” — demonstrated some malicious exploits for Gadgets, such as internal port scanning and JavaScript hacks, at this week’s Black Hat Briefings security conference.

“I love being on the bleeding edge of what’s coming next” in the world of security threats, Stracener said. And one of the things coming next might be “Gmalware” — Gadgets optimized for evil instead of good.

There are thousands of Gadgets available and most of them tend to be basic and innocuous, such as calendars, to-do lists and photo displays. Also, there are some more serious applications for accessing financial programs or making online transactions. This area has not taken off yet, but Google is offering seed money for development of transactional applications for the platform, according to Stracener.

“Google Gadgets are designed with an open architecture so that anyone can produce them,” he said. He called the Google vision “revolutionary,” but said that as in much of the rest of the online world, functionality is being promoted before security. “The net result is that unless you look at a Gadget’s code, you can’t be sure what it is doing.”

Some examples of what it could be doing were presented as proof-of-concept exploits developed by Stracener and Hansen. One of Stracener’s first Gadget exploits was a calendar that would read the user’s clipboard periodically and export the data. That one took advantage of an Internet Explorer 6 vulnerability that no longer is available.

Hansen developed a Gadget that would probe other Gadgets and steal information from them. Other Gadgets could be used to spider internal Web pages. There is one that could be used to perform cross-site request forgery, sending the user to a malicious page where malware could be uploaded or log-in credentials captured. A variation of this could log a user into an attacker’s account when logging onto a personalized iGoogle page.

“That’s a fairly significant privacy exposure,” Stracener said.

Google Gadget exploits have not been found in the wild, and Stracener and Hansen describe the attacks they demonstrated as largely theoretical because the exploits do not pose a great risk to sensitive information at this point. However, wider adoption of more powerful Gadgets could create more significant exposures.

Stracener said that although the current architecture is risky, Google is responding to reports of vulnerabilities. It could take a while to fix all of the problems, however. Although some fixes will be simple, others might require more fundamental changes in the architecture.