Analyst: Beware of the Google Gadgets

One fun thing about the interactive world of Web 2.0 is the online applications you can take advantage of, such as Google Gadgets.

Google describes Gadgets as "miniature objects that offer cool and dynamic content that can be placed on any page on the Web. They're free and available for you to add to any Webpage that you own," including personalized Google properties such as iGoogle and Google Desktop.

However, one person's cool functionality can be another's security vulnerability.

"The architecture right now is highly insecure," said Tom Stracener, a senior analyst with the application security company Cenzic Inc. of Santa Clara, Calif. "It is not clear to me that Google Gadgets have been adopted in a widespread fashion," but they are being used by people without a lot of security awareness or expertise. "The current environment is high-risk," Stracener added.

Stracener and security consultant Robert Hansen -- known to the online world as "Rsnake" -- demonstrated some malicious exploits for Gadgets, such as internal port scanning and JavaScript hacks, at this week's Black Hat Briefings security conference.

"I love being on the bleeding edge of what's coming next" in the world of security threats, Stracener said. And one of the things coming next might be "Gmalware" -- Gadgets optimized for evil instead of good.

There are thousands of Gadgets available and most of them tend to be basic and innocuous, such as calendars, to-do lists and photo displays. Also, there are some more serious applications for accessing financial programs or making online transactions. This area has not taken off yet, but Google is offering seed money for development of transactional applications for the platform, according to Stracener.

"Google Gadgets are designed with an open architecture so that anyone can produce them," he said. He called the Google vision "revolutionary," but said that as in much of the rest of the online world, functionality is being promoted before security. "The net result is that unless you look at a Gadget's code, you can't be sure what it is doing."

Some examples of what it could be doing were presented as proof-of-concept exploits developed by Stracener and Hansen. One of Stracener's first Gadget exploits was a calendar that would read the user's clipboard periodically and export the data. That one took advantage of an Internet Explorer 6 vulnerability that no longer is available.

Hansen developed a Gadget that would probe other Gadgets and steal information from them. Other Gadgets could be used to spider internal Web pages. There is one that could be used to perform cross-site request forgery, sending the user to a malicious page where malware could be uploaded or log-in credentials captured. A variation of this could log a user into an attacker's account when logging onto a personalized iGoogle page.

"That's a fairly significant privacy exposure," Stracener said.

Google Gadget exploits have not been found in the wild, and Stracener and Hansen describe the attacks they demonstrated as largely theoretical because the exploits do not pose a great risk to sensitive information at this point. However, wider adoption of more powerful Gadgets could create more significant exposures.

Stracener said that although the current architecture is risky, Google is responding to reports of vulnerabilities. It could take a while to fix all of the problems, however. Although some fixes will be simple, others might require more fundamental changes in the architecture.

About the Author

William Jackson is the senior writer for Government Computer News (


  • Sign

    2018 Microsoft Predictions Revisited

    From guessing the fate of Windows 10 S to predicting Microsoft's next big move with Linux, Brien's predictions from a year ago were on the mark more than they weren't.

  • Microsoft Recaps Delivery Optimization Bandwidth Controls for Organizations

    Microsoft expects organizations using its Delivery Optimization peer-to-peer update scheme will optimally see 60 percent to 70 percent improvements in terms of network bandwidth use.

  • Getting a Handle on Hyper-V Virtual NICs

    Hyper-V usually makes it easy to configure virtual network adapters within VMs. That is, until you need to create a VM containing multiple virtual NICs.

  • Microsoft Highlights Emerging Kubernetes Scalability and Governance Efforts

    Microsoft this week highlighted some emerging efforts to improve both the scalability and governance of the open source Kubernetes container orchestration service.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.