Application security, Incident Response, TDR, Vulnerability Management

BLACK HAT: Here come Google gadget flaws

Updated Friday, Aug. 8 at 10:43 a.m. EST

One of Google's latest features can be manipulated to spread malware, a pair of researchers said Wednesday at the Black Hat conference in Las Vegas.

Google gadgets are small applications, such as a currency converter, calendar or weather forecast, that can be added to iGoogle on a user's homepage or the computer's desktop.

The problem lies in the fact that the mini-modules are created by third-party developers who can embed malicious JavaScript to redirect users to hacker websites, security researcher Robert “RSnake” Hansen told several hundred people in attendance.

The gadgets are “incredibly powerful,” said Tom Stracener, the other presenter and a senior security analyst at web application security firm Cenzic.

The Google API is designed in such a way to allow anyone to turn their webpage or application into a gadget that supports dynamic language. Stracener said the gadgets are easy to build, can access and run on multiple websites and can reach millions of users – a potentially lethal combination for the next big attack.

“It's fertile ground for malware to take root,” Stracener said.

He added that the gadgets conceivably could be “weaponized into payloads” because they are based on code that is created and maintained by third parties. In addition, the gadgets could be configured to attack other gadgets, Stracener said.

The two men demonstrated one particularly troubling attack possibility in which a victim would call up the Google homepage and be immediately redirected to a phishing site resembling the Google Mail login page.

In another scenario, hackers could launch a cross-site request forgery attack in which a user unknowingly downloads a malicious gadget, allowing the cybercrooks to hijack the victim's session and steal, in this case, Google search queries.

Hansen said users should be concerned about vulnerabilities in Google gadgets. They can be infected by installing a gadget they thought was safe, but actually contains malicious code.

Or hackers can take the circuitous, but potentially more successful, route: by compromising the websites hosting legitimate gadgets.

“Now I have my bad gadget running in the context of Google,” said Hansen, who has discovered numerous other Google flaws, including cross-site scripting vulnerabilities that he claims have never been fixed.

One audience member, though, questioned Google's burden to protect the gadgets from malicious use.

“Is it really up to Google to vet everything that comes under its domain?” he asked.

Google, in an emailed statement, told that the internet giant scans all gadgets for malware and blacklists any malicious programs.

But the company noted: "It is important to remember that gadgets are created by developers all over the world to provide a convenient way for users to view information collected from around the web in one place."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.