Malicious Gadgets

The folks at Offensive-Security dot com published an information advisory regarding a security vulnerability associated with usage of Google gadgets. According to Offensive-Security,

The real vulnerability lies in the ability of a malicious user to add their own Gadgets on a separate domain space, without Google’s authorization…

There is a nicely done and very succinct video, merely 1:26 min in length, which is worth watching. The potential threat from gadgets residing on domains that are not registered to Google is the ease with which such gadgets can be converted into attack tools. A gadget sourced from an unvouched-for third-party could run malicious javascript on victim machines, steal cookies or worse.

Apparently the vulnerability STILL hasn’t been repaired, based on this Google Gadget Group posting I saw yesterday, and dated June 17 with no response by anyone in the group yet, particularly no response by an Google staff…. to be continued.

Published in: on June 16, 2010 at 12:22 am  Leave a Comment  
Tags: , ,

The URI to TrackBack this entry is:

RSS feed for comments on this post.

Comments welcomed! Less enthusiastic about spam.

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: