Black Hat 2008: Google Gadgets insecurity
posted Aug 9th 2008 6:00pm by Kimberly Laufiled under: news
Black Hat presenters [Robert "RSnake" Hansen], CEO of SecTheory, and [Tom Stracener], security analyst at Cenzic, criticized Google in their presentation “Xploiting Google Gadgets”. [Hansen] and [Stracener] say that there’s currently no way for Google to confirm whether Google Gadget creations contain malicious content or not; this leaves the application vulnerable to a wide range of hacking ugliness such as data poisoning, worms, and theft of data. [Hansen] himself isn’t exactly on the friendliest terms with Google. He’s got a bit of a contentious history and he claims that Google has threatened legal action against him. Nevertheless, if what was presented is true and accurate, then Google has a huge security issue that needs to be addressed sooner rather than later. Google has not yet commented on the situation.
(Disclosure: I’m a software engineer at Google.)
I think the AP story about this had more info from Google:
“Google disputes Hansen’s characterization of its vetting process for gadgets.
The company said in a statement that it scans all gadgets regularly for malicious code, and in the “very rare” instance in which one is found, it’s immediately blacklisted.
Google added that since November 2007 no new “inline” gadgets â which have access to user account information â have been created. And the authors of existing “inline” gadgets can’t modify them further.”
I haven’t been following this story, but if the vulnerability is only on inlined gadgets, it sounds like Google responded a while ago. See also
http://groups.google.com/group/Google-Gadgets-API/browse_thread/thread/5776dc1be6dfd0b
http://igoogledeveloper.blogspot.com/2008/08/changes-to-inlined-gadgets.html
Posted at 3:08 am on Aug 10th, 2008 by Matt Cutts