Google Gadgets are supposed to be easy-to-use components that enable users to put content and small applications wherever they want them. According to Tom Stracener a Cenzic Senior Security Analyst, Google Gadgets can also potentially be used as a platform for user exploitation.
In a presentation to be delivered at the Black Hat security conference, Stracener will explain in gory detail how gadgets can be used to attack other gadgets and ultimately end users. The impact could range from a loss of confidential information to arbitrary code execution. Google argues, however, that though any gadget could be a target for malware, the company is already actively taking precautions to protect users.
“One of the things that really characterizes Web 2.0 is the high interactivity between the user and other users as well as the application in sharing information,” Stracener told InternetNews.com prior to his presentation. “These little microapplications like Google Gadgets are ideal for that. On the other hand if someone creates a gadget that is designed to trick the user, that’s easy to do.”
Google Gadgets can run on a user’s iGoogle home page. They can also be put on any Web page and run on Google Desktop. Stracener has identified scenarios under which each type of gadget implementation — whether running on Windows, Linux or a Mac — could be exploited for malicious intent.
One scenario where a gadget could be harmful is if it is used as a platform for a phishing attack, in which the user is somehow lured to click on a bad link. There is also the potential for using gadgets for Cross Site Request Forgery (CSRF) attacks.
Stracener explained that the CSRF attack on gadgets involves a scenario where a user submits a form within one application, and it ends up taking an action on another Web site the user was not intending to take.
He noted that a CSRF attack could be particularly harmful if the user is logged in to a social networking site while running the malicious gadget. In that scenario the gadget could potentially steal the user’s login credentials for the social networking site.
Risk of scripts
“Right now in Google Gadgets you can open arbitrary php scripts,” Stracener explained. “You could create a gadget that very discreetly took advantage of vulnerabilities in a user’s Web browser.”
Stracener noted that while some may argue that for users to be exploited they first have to actually choose a gadget that is malicious and install it. That’s not necessarily the case.
“If you can get a user to visit a page an attacker controls and you’re logged in, we can silently add a gadget to your iGoogle page,” Stracener claimed.
A Google Gadget deployed on a user’s desktop also potentially could have turned the user’s PC into a host for malware. Stracener alleged that he discovered a vulnerability whereby the malicious gadget could get a piece of malware stored on a user’s desktop for up to 30 days.
Google has already patched that particular vulnerability, according to Stracener.
“We reported it to Google, and they fixed it in under four weeks,” Stracener claimed. “They have the information on the types of attacks we’ll be presenting, and they’ve already fixed one of the problems — so we’re not blindsiding them on anything.”
This article was first published on InternetNews.com.