Comments on: Black Hat 2008: Google Gadgets insecurity http://hackaday.com/2008/08/09/black-hat-2008-google-gadgets-insecurity/ Fresh hacks every day Wed, 25 Nov 2009 12:46:25 +0000 http://wordpress.com/ hourly 1 By: peruser http://hackaday.com/2008/08/09/black-hat-2008-google-gadgets-insecurity/comment-page-1/#comment-40329 peruser Mon, 11 Aug 2008 18:17:52 +0000 http://hackaday.iheartcashews.com:8181/2008/08/09/black-hat-2008-google-gadgets-insecurity/#comment-40329 how exactly is this a hack? <br><br>I'm sorry but maybe you guys should just change your name to engadget LITE...<br><br>I know you just hired a lot of people to help the content flowing, but c'mon Will, I come to this site for innovative hardware projects. Not this 'latest google news' crap. I can go to any lamer Associated Press feed for this. What's worse this isn't even "news". Google addressed this LAST YEAR.<br><br>Please, I'm begging you. I'll take any hack at all. Arduino, WRT, FPGAs, even NOACs. <br><br> how exactly is this a hack?

I’m sorry but maybe you guys should just change your name to engadget LITE…

I know you just hired a lot of people to help the content flowing, but c’mon Will, I come to this site for innovative hardware projects. Not this ‘latest google news’ crap. I can go to any lamer Associated Press feed for this. What’s worse this isn’t even “news”. Google addressed this LAST YEAR.

Please, I’m begging you. I’ll take any hack at all. Arduino, WRT, FPGAs, even NOACs.

]]> By: Matt Cutts http://hackaday.com/2008/08/09/black-hat-2008-google-gadgets-insecurity/comment-page-1/#comment-40328 Matt Cutts Sun, 10 Aug 2008 10:08:46 +0000 http://hackaday.iheartcashews.com:8181/2008/08/09/black-hat-2008-google-gadgets-insecurity/#comment-40328 (Disclosure: I'm a software engineer at Google.)<br><br>I think the AP story about this had more info from Google:<br><br>"Google disputes Hansen's characterization of its vetting process for gadgets.<br><br>The company said in a statement that it scans all gadgets regularly for malicious code, and in the "very rare" instance in which one is found, it's immediately blacklisted.<br><br>Google added that since November 2007 no new "inline" gadgets — which have access to user account information — have been created. And the authors of existing "inline" gadgets can't modify them further."<br><br>I haven't been following this story, but if the vulnerability is only on inlined gadgets, it sounds like Google responded a while ago. See also<br><a href="http://groups.google.com/group/Google-Gadgets-API/browse_thread/thread/5776dc1be6dfd0b" rel="nofollow">http://groups.google.com/group/Google-Gadgets-API/browse_thread/thread/5776dc1be6dfd0b</a><br><a href="http://igoogledeveloper.blogspot.com/2008/08/changes-to-inlined-gadgets.html" rel="nofollow">http://igoogledeveloper.blogspot.com/2008/08/changes-to-inlined-gadgets.html</a> (Disclosure: I’m a software engineer at Google.)

I think the AP story about this had more info from Google:

“Google disputes Hansen’s characterization of its vetting process for gadgets.

The company said in a statement that it scans all gadgets regularly for malicious code, and in the “very rare” instance in which one is found, it’s immediately blacklisted.

Google added that since November 2007 no new “inline” gadgets — which have access to user account information — have been created. And the authors of existing “inline” gadgets can’t modify them further.”

I haven’t been following this story, but if the vulnerability is only on inlined gadgets, it sounds like Google responded a while ago. See also
http://groups.google.com/group/Google-Gadgets-API/browse_thread/thread/5776dc1be6dfd0b
http://igoogledeveloper.blogspot.com/2008/08/changes-to-inlined-gadgets.html

]]>