Black Hat presenters [Robert “RSnake” Hansen], CEO of SecTheory, and [Tom Stracener], security analyst at Cenzic, criticized Google in their presentation “Xploiting Google Gadgets”. [Hansen] and [Stracener] say that there’s currently no way for Google to confirm whether Google Gadget creations contain malicious content or not; this leaves the application vulnerable to a wide range of hacking ugliness such as data poisoning, worms, and theft of data. [Hansen] himself isn’t exactly on the friendliest terms with Google. He’s got a bit of a contentious history and he claims that Google has threatened legal action against him. Nevertheless, if what was presented is true and accurate, then Google has a huge security issue that needs to be addressed sooner rather than later. Google has not yet commented on the situation.
2 thoughts on “Black Hat 2008: Google Gadgets Insecurity”
Leave a Reply
Please be kind and respectful to help make the comments section excellent. (Comment Policy)
(Disclosure: I’m a software engineer at Google.)
I think the AP story about this had more info from Google:
“Google disputes Hansen’s characterization of its vetting process for gadgets.
The company said in a statement that it scans all gadgets regularly for malicious code, and in the “very rare” instance in which one is found, it’s immediately blacklisted.
Google added that since November 2007 no new “inline” gadgets â which have access to user account information â have been created. And the authors of existing “inline” gadgets can’t modify them further.”
I haven’t been following this story, but if the vulnerability is only on inlined gadgets, it sounds like Google responded a while ago. See also
http://groups.google.com/group/Google-Gadgets-API/browse_thread/thread/5776dc1be6dfd0b
http://igoogledeveloper.blogspot.com/2008/08/changes-to-inlined-gadgets.html
how exactly is this a hack?
I’m sorry but maybe you guys should just change your name to engadget LITE…
I know you just hired a lot of people to help the content flowing, but c’mon Will, I come to this site for innovative hardware projects. Not this ‘latest google news’ crap. I can go to any lamer Associated Press feed for this. What’s worse this isn’t even “news”. Google addressed this LAST YEAR.
Please, I’m begging you. I’ll take any hack at all. Arduino, WRT, FPGAs, even NOACs.