One of Google's latest features can be manipulated to spread malware, a pair of researchers said Wednesday at the Black Hat conference in Las Vegas.

Google gadgets are small applications, such as a currency converter, calendar or weather forecast, that can be added to iGoogle on a user's homepage or the computer's desktop.

The problem lies in the fact that the mini-modules are created by third-party developers, who can embed malicious JavaScript to redirect users to hacker websites, security researcher Robert “RSnake” Hansen told several hundred people in attendance.

The gadgets are “incredibly powerful,” said Tom Stracener, the other presenter and a senior security analyst at web application security firm Cenzic.

The Google API is designed in such a way to allow anyone to turn their webpage or application into a gadget that supports dynamic language. Stracener said the gadgets are easy to build, can access and run on multiple websites and can reach millions of users – a potentially lethal combination for the next big attack.

“It's fertile ground for malware to take root,” Stracener said.

He added that the gadgets conceivably could be “weaponized into payloads” because they are based on code that is created and maintained by third parties. In addition, the gadgets could be configured to attack other gadgets, Stracener said.

The two men demonstrated one particularly troubling attack possibility in which a victim would call up the Google homepage and be immediately redirected to a phishing site resembling the Google Mail login page.

In another scenario, hackers could launch a cross-site request forgery attack in which a user unknowingly downloads a malicious gadget, allowing the cybercrooks to hijack the victim's session and steal, in this case, Google search queries.

Hansen said users should be concerned about vulnerabilities in Google gadgets. They can be infected by installing a gadget they thought was safe, but actually contains malicious code.

Or hackers can take the circuitous, but potentially more successful, route: by compromising the websites hosting legitimate gadgets.

“Now I have my bad gadget running in the context of Google,” said Hansen, who has discovered numerous other Google flaws, including cross-site scripting vulnerabilities that he claims have never been fixed.

One audience member, though, questioned Google's burden to protect the gadgets from malicious use.

“Is it really up to Google to vet everything that comes under its domain?” he asked.

A Google spokesperson could not be reached for comment Wednesday evening.

Original Article

This entry was posted by Greg Hewitt-Long on Thursday, August 7. 2008 at 08:58. and is filed under Adware, Spyware and Trojans.