News
Google Gadgets An Open Door For Attack
Black Hat presentation outlines risks to using Google gadgets
By Shawna McAlearney, CIO.com
August 08, 2008 — CIO — Gadget lovers were dealt a blow on Wednesday when two researchers outlined what they called a "hole" during a Black Hat presentation. "The attacker can forcibly install Google Gadgets; they can read the victim's search history once a malicious gadget has been installed in some specific circumstances; they can attack other Google Gadgets; they can phish usernames and passwords from victims, and so on," said Robert Hansen, also known as RSnake, a founder of security consultancy SecTheory. "Really, the sky is the limit, once the browser is under the control of an attacker. And that point is exacerbated by the fact that people trust Google be a trustworthy domain, making the attacks even easier." Hansen said that users who are most vulnerable to attack are those who use Google and specifically Gmail since the Web-based e-mail service requires them to be logged in. The attack relies on users intentionally adding modules themselves; a user may be tricked into adding malicious Google modules to his iGoogle homepages. "These users are almost all using JavaScript and normal Web browsers, making them easing pickings for many different classes of attack, he added. Tom Stracener, a senior security analyst at Cenzic and co-presenter of the talk, outlined the threat: Gadgets can attack other Gadgets: The potential impact of these attacks is through cookie theft, or theft of confidential and sensitive information from the Gadget or user. Gadgets can attack the user: The type of attacks range from phishing to cross-site request forgery (when a user follows a link or clicks a form and unwittingly takes an action on a third party website that they did not intend to take). Auto-adding a Gadget: A malicious webpage can add a Gadget to a user's iGoogle homepage without his knowledge and assist in the spread of gadget-based malware. Logging into an alternate Google account: A Gadget can log a user into a different Google account and monitor search queries. "While the business impact from Google Gadget malware is minimal at this time," Stracener says, "As the use of Google Gadgets moves from consumer to business use, the risks for business users will grow."
Gartner Video: Best Practices for Web Application Security and Compliance
Faced with the growing threat of hacker attacks, how do you protect your data and your corporate reputation while increasing revenue?
Email Continuity: Don't Know What You've Got Till it's Gone
Today, more email is being sent and attachment sizes are becoming larger. This means that security, archiving, and continuity systems must be able to scale easily. Learn to manage your email better…
- Ironclad Web Conferencing: Who's listening to your online meeting?
- Jump Start Application Security Initiatives with SaaS
- Gartner Video: Best Practices for Web Application Security and Compliance
- Data Breaches: The Cost of Being Unprepared- Thought Leadership Panel Perspectives
- 2009 Data Breach Investigations Report
- Advancing Information Protection with a Built-In Approach
- The Cost-Based Business Case for Data Loss Prevention
- Strategies to Mitigate Information Risk: Data Loss Prevention and Enterprise Rights Management
- Get Sophisticated About Your Web Application Security
- Losing Ground: 2009 TMT Global Security Survey
- Unlock the Power of Device ID to Combat Online Fraud and Abuse
- Every Man's Guide to Combat Threats Within Your Organization
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
Digital ID World
-
September 14 - 16, 2009Rio Hotel and CasinoRegister Now »
Las Vegas, Nevada
(ISC)2 members can earn up to 24 CPE Credits!
Reference priority code ONLINE and attend the full conference for the reduced rate of $995!
