BLACK HAT: Here come Google gadget flaws

Share this article:
Updated Friday, Aug. 8 at 10:43 a.m. EST

One of Google's latest features can be manipulated to spread malware, a pair of researchers said Wednesday at the Black Hat conference in Las Vegas.

Google gadgets are small applications, such as a currency converter, calendar or weather forecast, that can be added to iGoogle on a user's homepage or the computer's desktop.

The problem lies in the fact that the mini-modules are created by third-party developers who can embed malicious JavaScript to redirect users to hacker websites, security researcher Robert “RSnake” Hansen told several hundred people in attendance.

The gadgets are “incredibly powerful,” said Tom Stracener, the other presenter and a senior security analyst at web application security firm Cenzic.

The Google API is designed in such a way to allow anyone to turn their webpage or application into a gadget that supports dynamic language. Stracener said the gadgets are easy to build, can access and run on multiple websites and can reach millions of users – a potentially lethal combination for the next big attack.

“It's fertile ground for malware to take root,” Stracener said.

He added that the gadgets conceivably could be “weaponized into payloads” because they are based on code that is created and maintained by third parties. In addition, the gadgets could be configured to attack other gadgets, Stracener said.

The two men demonstrated one particularly troubling attack possibility in which a victim would call up the Google homepage and be immediately redirected to a phishing site resembling the Google Mail login page.

In another scenario, hackers could launch a cross-site request forgery attack in which a user unknowingly downloads a malicious gadget, allowing the cybercrooks to hijack the victim's session and steal, in this case, Google search queries.

Hansen said users should be concerned about vulnerabilities in Google gadgets. They can be infected by installing a gadget they thought was safe, but actually contains malicious code.

Or hackers can take the circuitous, but potentially more successful, route: by compromising the websites hosting legitimate gadgets.

“Now I have my bad gadget running in the context of Google,” said Hansen, who has discovered numerous other Google flaws, including cross-site scripting vulnerabilities that he claims have never been fixed.

One audience member, though, questioned Google's burden to protect the gadgets from malicious use.

“Is it really up to Google to vet everything that comes under its domain?” he asked.

Google, in an emailed statement, told SCMagazineUS.com that the internet giant scans all gadgets for malware and blacklists any malicious programs.

But the company noted: "It is important to remember that gadgets are created by developers all over the world to provide a convenient way for users to view information collected from around the web in one place."
Share this article:

Sign up to our newsletters

More in News

Five schools earn NSA's excellence in cyber ops distinction

The schools earned NSA's Centers for Academic Excellence designation for their cyber offerings.

With RATs at their disposal, 419 scammers target businesses

With RATs at their disposal, 419 scammers target ...

A new report reveals how Nigeria's 419 scammers are spreading malware to pocket business funds.

InfoSec pros worried BYOD ushers in security exploits, survey says

InfoSec pros worried BYOD ushers in security exploits, ...

A study by the Information Security Community on LinkedIn found most organizations don't have proper polices and support for BYOD.