Black Hat 2008 USA – Xploiting Google Gadgets Gmalware and Beyond by Robert Hansen and Tom Stracener
September 2008 by Michael Hayes CTO, B-4-U Inc.
Gadgets in general and Google Gadgets specifically are cool additions to any user’s desktop. Gadgets that provide shared calendars with workgroups, individuals and friends are always great tools, or gadgets used to personalize or jazz up a desktop and simplify or add information streams improve the user experience. Streaming information adds topics of interest, friends, family and favorites as information or convenience tools.
Michael Hayes CTO, B-4-U Inc.
The problem is these innocuous Google Gadgets open up a new attack vector for malicious users to capture private information from users and corporations alike.
Looking through the rear view mirror:
Most Enterprises do not see Google Gadgets as anything but a decoration and the provisioning of simple user benign tools and novelties. As the world of Google Gadgets comes into focus a number of issues come into play.
Today one of the major attack vectors is the variants of the WINDOWS operating systems since these are the most prevalent Operating systems globally. With the move to the WEB 2.0 as the primary environment to execute program, store data and utilize tools for collaborative projects, Google Gadgets can become a vehicle for Cross Site Scripting (XSS) exploits.
The analogy that can be used is the use of shareware or freeware; what individual, corporation or organization would allow the un-restricted use of these applications, downloaded from the web. Yet today with the un-restricted use of Google Gadgets a new attack vector is opened.
Examples of Phishing has been identified as scripts that mimic recognized organizations can be easily embedded in Google Gadgets. The vision for gadgets is that they morph as the user communities change their requirements and needs. What review process is in place to guarantee that no malevolent code is introduced?
Gadgets can communicate with each other and they are persistent, these two characteristics will allow gadgets to be developed that co-op each other to steal private information. Since a specific gadget by itself is benign, it is hard to verify the inter-action between gadgets of any in-appropriate behavior.
Some of the other attributes of Google gadgets make them a security concern. Their vary nature is to have them spread virally, be de-centralized (very hard to check and mutation is likely), content rich, a two edged sword, (what is the content), is meant to gather social information and provide records of activity. In each case these can be red flags for any security organization.
Through the looking Glass:
Google Gadgets provides a type of utility to users of desktops, but creates a new attack vector for Enterprises. As with most security issues, it is critical that a corporations, governments and institutions outline clear policies that prohibit the use of Google Gadgets and any other type of enhancement that can enable Cross Site Scripting.
These organizations also need to provide education to users as to the risk to both their own personal data, and that of the organization. Additionally tools must be developed beyond the traditional virus and firewalls that identify this malware and block it from executing.