Phishing With Google Wave
Hat tip to cyberlocksmith for this post. He pointed me to a good article on how to phish Google Wave users using malicious gadgets. This is precisely what Tom Stracener and I were talking about in our presentation at DefCon and Blackhat a few years back - except this is for Wave instead of iGoogle. Either way the point is the same - when you let other people control content that is embedded in your site, you are at the mercy of whatever they chose to do within that gadget. In this case, they can pop the user out of the iframe and present them with a duplicate of the sign-in page. The vast majority of users would fall for this kind of attack too.
I really don’t mean to harp too much on Google specifically for this stuff (in as much as I have countless times in the past held them accountable for their crappy security). There are lots of other companies and websites that are moving to user supplied gadgets in an iframe as if that makes them safe. Maybe some variant of HTML5 + some trickery can solve these problems, but there’s a lot of legacy users who won’t be able to support those standards for a good long while. In the mean-time, we just continue to see more vulnerable code being outputted by Google and their peers and the only saving grace is that no one has yet decided to take advantage of their security flaws. Scary. But I’m sure a blacklist will solve their problems if and when they do get attacked, right? Right?
February 10th, 2010 at 7:44 pm
Very interesting article, guess Google don’t have to follow their own motto.
February 10th, 2010 at 9:52 pm
The part that always bothers me is when they encourage webmasters to include Google code on other websites as though they are party favors. That’s in the first sentence of the Gadgets page, “Gadgets powered by Google are miniature objects made by Google users like you that offer cool and dynamic content that can be placed on any page on the web.”
February 10th, 2010 at 10:13 pm
Because blacklists fail at blacklisting, right? Right?
Sorry I don’t have anything constructive to add to this conversation.
Good read though, as usual.
February 10th, 2010 at 10:18 pm
My friend once found a XSS bug in some gadget, and was able to replace the content of the gadget with a google like login page. He emailed Google and they replied basically with “XSS is not a problem , its served from a different domain. The phishing thing is not a problem because a user can see at the top right he is already logged in , and also its not the usual site ‘https://www.google.com/account?blahblah”
February 10th, 2010 at 10:37 pm
This type of phishing could be a problem as the user is on Google Wave and is suddenly redirected to the page. Phishing is usually by clicking a link, etc. This seems like you have been logged out. Not many would notice the URL bar.
If you don’t believe me, check this list of guys who could have been hacked..
http://bit.ly/credpage
February 11th, 2010 at 12:50 am
Whats more scary, that google has THAT kind of security or that when being contacted they respond in the manner duryodhan just mentioned…
February 11th, 2010 at 10:59 am
Nice Article, I was actually just reading up on these things since I found iGoogle a nice place to collect all the relevant news feeds I wanted to follow. And sure enough I read about how RSS feeds can be a screwy way to shoot yourself in the foot if the feed isn’t clean. I think one way to add a level of security would be to run those feeds through a Yahoo pipe and do some brushing and validation there before getting it thrown on to your site. got the idea from this blog entry: http://bloggersentral.blogspot.com/2009/12/list-post-titles-in-alphabetical-order.html where the blogger came up with a nifty way of displaying post-titles on blogspot blogs.
February 11th, 2010 at 3:57 pm
I also wrote this blog post last month to prove some of the things that can be done be dirty gadgets.
http://www.e-x-e.dk/2010/01/16/a-blogpost-about-hacking-google-wave-with-xss-and-xssr/
February 11th, 2010 at 4:41 pm
Google Wave Phishing = SurphCasting? Do I win?
February 12th, 2010 at 3:15 am
This problem was already given to google in 2009 and an advisory was released.
http://sotiriu.de/adv/NSOADV-2010-002.txt
Google don’t thik this is a security problem right now.
February 15th, 2010 at 5:11 am
I used this technique to generate some traffic for my site. I just replied few (8-10) public waves with my gadget (it just redirects user to my site) and within 24 hours I got 300+ unique visitors and 3000+ page views.
So, this technique can be used not only for phishing but also for some traffic generation.
February 22nd, 2010 at 5:11 pm
I made a wave about the flaw and made a little prototype demonstrating the issues back in october of 2009.