August 7, 2008

Experts Demonstrate Potential Security Threats In Google Gadgets

"Oversharing" has been one of the most significant challenges of Web 2.0, often creating security risks as users add programs to Web sites that may inadvertently open the door to hackers.

Increasingly, even major Internet companies, such as Google Inc., are becoming attractive targets for hackers, according to security researchers. 

Those with bad intentions can sometimes exploit the company's "gadgets" programs, small applications such as calendars that users install on personalized Google home pages. These applications can be customized by users and then distributed through Google.

However, a hacker might customize a gadget in nefarious ways before using Google to distribute their code. If downloaded, such a malicious gadget could then wreak havoc in a number of ways, such as stealing information from other gadgets to gain personal information, according to Hansen and Stracener.

The fact that many users inherently trust what they download from Google further complicates the problem.

Security consultant SecTheory CEO Robert Hansen and Tom Stracener, senior security analyst with security testing software maker Cenzic Inc., demonstrated such an attack at the Black Hat hacker conference in Las Vegas on Wednesday. The duo used a malicious gadget to hack into a user's Web browser and gain access to their real-time searches.

"How do you know it's a legitimate gadget?" asked Hansen.

"Because someone uploaded it? There's no moderation, there's no way to guarantee it won't turn bad," he told the Associated Press.

Google is fighting a common problem facing many social-networking sites, along with others that encourage users to add new applications to spruce up their Web sites and to deliver pictures and other content to the outside world. These applications run code on the Web site that could be used for both good and bad purposes.

In a statement, Google defended its program, saying its gadgets are created to "provide a convenient way for users to view information collected from around the Web in one place."

The company disputed Hansen's characterization of its vetting process, and said it regularly scans all gadgets for malicious code. In the "very rare" instances in which such code is discovered, it is immediately blacklisted, the company said.

The company said that no new "inline" gadgets with access to user account information have been created since November 2007, and authors of existing inline gadgets are not permitted to make further modifications.


On the Net: