Gadget lovers were dealt a blow on Wednesday when two researchers outlined what they called a "hole" during a Black Hat presentation. "
The attacker can forcibly install Google Gadgets; they can read the victim's search history once a malicious gadget has been installed in some specific circumstances; they can attack other Google Gadgets; they can phish usernames and passwords from victims, and so on," said Robert Hansen, also known as RSnake, a founder of security consultancy SecTheory. "
Really, the sky is the limit, once the browser is under the control of an attacker. And that point is exacerbated by the fact that people trust Google be a trustworthy domain, making the attacks even easier."
Hansen said that users who are most vulnerable to attack are those who use Google and specifically Gmail since the Web-based e-mail service requires them to be logged in. The attack relies on users intentionally adding modules themselves; a user may be tricked into adding malicious Google modules to his iGoogle homepages. "
These users are almost all using javascript and normal Web browsers, making them easing pickings for many different classes of attack," he added.
View:
Full Story at InfoWorld
08-09-2008, 07:35 PM
Google Gadgets an Open Door for Attack
Linear Mode
