Malicious Gadgets

The folks at Offensive-Security dot com published an information advisory regarding a security vulnerability associated with usage of Google gadgets. According to Offensive-Security,

The real vulnerability lies in the ability of a malicious user to add their own Gadgets on a separate domain space, without Google’s authorization…

There is a nicely done and very succinct video, merely 1:26 min in length, which is worth watching. The potential threat from gadgets residing on domains that are not registered to Google is the ease with which such gadgets can be converted into attack tools. A gadget sourced from an unvouched-for third-party could run malicious javascript on victim machines, steal cookies or worse.

Apparently the vulnerability STILL hasn’t been repaired, based on this Google Gadget Group posting I saw yesterday, and dated June 17 with no response by anyone in the group yet, particularly no response by an Google staff…. to be continued.

Published in: on June 16, 2010 at 12:22 am  Leave a Comment  
Tags: , ,

Javascript in the Beginning

Published in: on June 14, 2010 at 6:27 pm  Leave a Comment  
Tags: ,