Black Hat 2008: Google Gadgets insecurity


Black Hat presenters [Robert "RSnake" Hansen], CEO of SecTheory, and [Tom Stracener], security analyst at Cenzic, criticized Google in their presentation “Xploiting Google Gadgets”. [Hansen] and [Stracener] say that there’s currently no way for Google to confirm whether Google Gadget creations contain malicious content or not; this leaves the application vulnerable to a wide range of hacking ugliness such as data poisoning, worms, and theft of data. [Hansen] himself isn’t exactly on the friendliest terms with Google. He’s got a bit of a contentious history and he claims that Google has threatened legal action against him. Nevertheless, if what was presented is true and accurate, then Google has a huge security issue that needs to be addressed sooner rather than later. Google has not yet commented on the situation.

Comments

  1. Matt Cutts says:

    (Disclosure: I’m a software engineer at Google.)

    I think the AP story about this had more info from Google:

    “Google disputes Hansen’s characterization of its vetting process for gadgets.

    The company said in a statement that it scans all gadgets regularly for malicious code, and in the “very rare” instance in which one is found, it’s immediately blacklisted.

    Google added that since November 2007 no new “inline” gadgets — which have access to user account information — have been created. And the authors of existing “inline” gadgets can’t modify them further.”

    I haven’t been following this story, but if the vulnerability is only on inlined gadgets, it sounds like Google responded a while ago. See also
    http://groups.google.com/group/Google-Gadgets-API/browse_thread/thread/5776dc1be6dfd0b
    http://igoogledeveloper.blogspot.com/2008/08/changes-to-inlined-gadgets.html

  2. peruser says:

    how exactly is this a hack?

    I’m sorry but maybe you guys should just change your name to engadget LITE…

    I know you just hired a lot of people to help the content flowing, but c’mon Will, I come to this site for innovative hardware projects. Not this ‘latest google news’ crap. I can go to any lamer Associated Press feed for this. What’s worse this isn’t even “news”. Google addressed this LAST YEAR.

    Please, I’m begging you. I’ll take any hack at all. Arduino, WRT, FPGAs, even NOACs.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,466 other followers