Cenzic 232 Patent
Paid Advertising
web application security lab

Phishing With Google Wave

Hat tip to cyberlocksmith for this post. He pointed me to a good article on how to phish Google Wave users using malicious gadgets. This is precisely what Tom Stracener and I were talking about in our presentation at DefCon and Blackhat a few years back - except this is for Wave instead of iGoogle. Either way the point is the same - when you let other people control content that is embedded in your site, you are at the mercy of whatever they chose to do within that gadget. In this case, they can pop the user out of the iframe and present them with a duplicate of the sign-in page. The vast majority of users would fall for this kind of attack too.

I really don’t mean to harp too much on Google specifically for this stuff (in as much as I have countless times in the past held them accountable for their crappy security). There are lots of other companies and websites that are moving to user supplied gadgets in an iframe as if that makes them safe. Maybe some variant of HTML5 + some trickery can solve these problems, but there’s a lot of legacy users who won’t be able to support those standards for a good long while. In the mean-time, we just continue to see more vulnerable code being outputted by Google and their peers and the only saving grace is that no one has yet decided to take advantage of their security flaws. Scary. But I’m sure a blacklist will solve their problems if and when they do get attacked, right? Right?

12 Responses to “Phishing With Google Wave”

  1. DucDigital Says:

    Very interesting article, guess Google don’t have to follow their own motto.

  2. Robert Chapin Says:

    The part that always bothers me is when they encourage webmasters to include Google code on other websites as though they are party favors. That’s in the first sentence of the Gadgets page, “Gadgets powered by Google are miniature objects made by Google users like you that offer cool and dynamic content that can be placed on any page on the web.”

  3. stucky Says:

    Because blacklists fail at blacklisting, right? Right?

    Sorry I don’t have anything constructive to add to this conversation.

    Good read though, as usual.

  4. duryodhan Says:

    My friend once found a XSS bug in some gadget, and was able to replace the content of the gadget with a google like login page. He emailed Google and they replied basically with “XSS is not a problem , its served from a different domain. The phishing thing is not a problem because a user can see at the top right he is already logged in , and also its not the usual site ‘https://www.google.com/account?blahblah”

  5. Parashuram Says:

    This type of phishing could be a problem as the user is on Google Wave and is suddenly redirected to the page. Phishing is usually by clicking a link, etc. This seems like you have been logged out. Not many would notice the URL bar.

    If you don’t believe me, check this list of guys who could have been hacked..

    http://bit.ly/credpage

  6. Nos Says:

    Whats more scary, that google has THAT kind of security or that when being contacted they respond in the manner duryodhan just mentioned…

  7. Nadim Says:

    Nice Article, I was actually just reading up on these things since I found iGoogle a nice place to collect all the relevant news feeds I wanted to follow. And sure enough I read about how RSS feeds can be a screwy way to shoot yourself in the foot if the feed isn’t clean. I think one way to add a level of security would be to run those feeds through a Yahoo pipe and do some brushing and validation there before getting it thrown on to your site. got the idea from this blog entry: http://bloggersentral.blogspot.com/2009/12/list-post-titles-in-alphabetical-order.html where the blogger came up with a nifty way of displaying post-titles on blogspot blogs.

  8. Thomas Stig Jacobsen Says:

    I also wrote this blog post last month to prove some of the things that can be done be dirty gadgets.

    http://www.e-x-e.dk/2010/01/16/a-blogpost-about-hacking-google-wave-with-xss-and-xssr/

  9. James Landis Says:

    Google Wave Phishing = SurphCasting? Do I win?

  10. lofi Says:

    This problem was already given to google in 2009 and an advisory was released.

    http://sotiriu.de/adv/NSOADV-2010-002.txt

    Google don’t thik this is a security problem right now.

  11. Monirul Islam Says:

    I used this technique to generate some traffic for my site. I just replied few (8-10) public waves with my gadget (it just redirects user to my site) and within 24 hours I got 300+ unique visitors and 3000+ page views.

    So, this technique can be used not only for phishing but also for some traffic generation.

  12. antimatter15 Says:

    I made a wave about the flaw and made a little prototype demonstrating the issues back in october of 2009.