Google Gadgets Under Attack at Black Hat

Google Gadgets are supposed to be easy-to-use components that enable users to put content and small applications wherever they want them. According to Tom Stracener a Cenzic Senior Security Analyst, Google Gadgets can also potentially be used as a platform for user exploitation.

In a presentation to be delivered at the Black Hat security conference, Stracener will explain in gory detail how gadgets can be used to attack other gadgets and ultimately end users. The impact could range from a loss of confidential information to arbitrary code execution. Google argues, however, that though any gadget could be a target for malware, the company is already actively taking precautions to protect users.

“One of the things that really characterizes Web 2.0 is the high interactivity between the user and other users as well as the application in sharing information,” Stracener told InternetNews.com prior to his presentation. “These little microapplications like Google Gadgets are ideal for that. On the other hand if someone creates a gadget that is designed to trick the user, that’s easy to do.”

Google Gadgets can run on a user’s iGoogle home page. They can also be put on any Web page and run on Google Desktop. Stracener has identified scenarios under which each type of gadget implementation — whether running on Windows, Linux or a Mac — could be exploited for malicious intent.

One scenario where a gadget could be harmful is if it is used as a platform for a phishing attack, in which the user is somehow lured to click on a bad link. There is also the potential for using gadgets for Cross Site Request Forgery (CSRF) attacks.

Stracener explained that the CSRF attack on gadgets involves a scenario where a user submits a form within one application, and it ends up taking an action on another Web site the user was not intending to take.

He noted that a CSRF attack could be particularly harmful if the user is logged in to a social networking site while running the malicious gadget. In that scenario the gadget could potentially steal the user’s login credentials for the social networking site.

Risk of scripts

“Right now in Google Gadgets you can open arbitrary php scripts,” Stracener explained. “You could create a gadget that very discreetly took advantage of vulnerabilities in a user’s Web browser.”

Stracener noted that while some may argue that for users to be exploited they first have to actually choose a gadget that is malicious and install it. That’s not necessarily the case.

“If you can get a user to visit a page an attacker controls and you’re logged in, we can silently add a gadget to your iGoogle page,” Stracener claimed.

A Google Gadget deployed on a user’s desktop also potentially could have turned the user’s PC into a host for malware. Stracener alleged that he discovered a vulnerability whereby the malicious gadget could get a piece of malware stored on a user’s desktop for up to 30 days.

Google has already patched that particular vulnerability, according to Stracener.

“We reported it to Google, and they fixed it in under four weeks,” Stracener claimed. “They have the information on the types of attacks we’ll be presenting, and they’ve already fixed one of the problems — so we’re not blindsiding them on anything.”

This article was first published on InternetNews.com.

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020