Get Ready For Google Gadget Malware - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Enterprise Architecture
News
7/25/2008
03:03 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Get Ready For Google Gadget Malware

At Black Hat, RSnake is expected to demonstrate a zero-day vulnerability that allows for information theft, spoofing, and authentication issues.

"Gmalware" may be coming soon to your iGoogle page.

In two weeks, at the Black Hat Conference on Wednesday, Aug. 6, Cenzic senior security analyst Tom Stracener and security researcher Robert Hansen, better known as "RSnake," plan to demonstrate a zero-day vulnerability that affects Google Gadgets.

"At the core of the talk is the concept of Gmalware, which is basically a malicious gadget," said Stracener. "The idea is that gadgets are supported by the gmodule domain and security architecture. And with the current security architecture, it doesn't protect individuals from malicious gadgets very well. Nor does it protect gadgets from one another."

Google Gadgets, said Stracener, are vulnerable to information theft, deceptive practices, content spoofing, and authentication issues.

A Google Gadget, for example, can log you into an account without your knowledge and monitor your Google Search queries, Stracener explained. It can also be made to attack another Google Gadget and steal information.

No malicious Google Gadgets have been spotted in the wild yet. Once details about the vulnerabilities emerge, however, that may change.

Google has been alerted to the researchers' findings but hasn't yet publicly acknowledged whether or not it sees a problem. The company did not respond to a request for comment.

"We alerted them to that and what they came back with was this is the expected behavior of this domain," said Hansen. "Both Tom and I found that to be a fairly contentious attitude. We alerted them to it and they decided not to fix it and now we're just demonstrating what we found."

Hansen said that the underlying problem is that Google's security architecture allows an attacker to put pretty much whatever he or she wants inside Google Gadgets. Likening the issue to a SQL injection vulnerability, he said that an attacker could put malicious Flash, HTML, or scripts into a Google Gadget.

Google has some measures at the perimeter to prevent bad gadgets from being introduced. "But there are some tricks that we've come up with to get the Google Gadget subversively added to somebody's iGoogle page," said Hansen.

Google also tries to sandbox the gmodules domain, where Google Gadgets operate, from Google.com. "The problem is that protects you from two or three very specific attacks but it leaves you open to a huge number of other attacks," said Hansen. "What we're outlining is everything else that's wrong with this model."

Google tries "to separate that into a different domain, the gmodules domain," said Hansen. "That protects you from two or three very specific attacks, but it leaves you open to a huge number of other attacks. What we're outlining is everything else that's wrong with this model."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
IT Careers: 10 Industries with Job Openings Right Now
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/27/2020
Commentary
How 5G Rollout May Benefit Businesses More than Consumers
Joao-Pierre S. Ruth, Senior Writer,  5/21/2020
News
IT Leadership in Education: Getting Online School Right
Jessica Davis, Senior Editor, Enterprise Apps,  5/20/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Slideshows
Flash Poll