Uh-Oh Google Gadget

Sections: Computers, Downloads, Google, Web, Web 2.0 / Social Networking, Web Apps

submit to reddit


It’s a veritable heyday for hackers. A playground for those bent on more nefarious purposes. Those nifty little Google gadgets available for users to download and add to their websites are a big part of the Web 2.0 trend, and a big back door that allows hackers to access information on your system. Uh-oh Google gadgets.

It isn’t only Google that is at risk; and it isn’t a matter of them simply being lax with security measures. Any time you have sharing going on in that type of capacity, you are obviously opening up your system to the chance that someone can get in. It’s just that because people find these little gadgets like photo feeds or calendars on a site that is so well known (and usually trusted) like Google; it is pretty much automatically assumed by average Joe user that it must be “safe”. Not necessarily true.

What is known as “malicious” gadgets, or those that would be able to read user information if they were to be downloaded, could be used in several ways. It could simply read your searches. It could be that one gadget would steal information from another gadget that stores personal information, which could prove especially critical to the owner. Chief executive of security consultant SecTheory Robert Hansen says “”How do you know it’s a legitimate gadget? Because someone uploaded it? There’s no moderation, there’s no way to guarantee it won’t turn bad.”

Hansen, along with Tom Stracener, senior security analyst with security testing software maker Cenzic Inc., demonstrated an attack Wednesday at the Black Hat hacker conference in Las Vegas where they used a malicious gadget to break into a person’s Web browser and read their searches in real time.

Google, however, disputes Hansen’s theory of it’s “vetting process for gadgets”. They stated that it regularly scans all of their gadgets for malicious code, and in the “very rare” case where one is discovered, they immediately blacklist it. They also go on to state that they have not added any new “inline” gadgets since November of 2007. Inline gadgets are those which have access to user account information. They also explain that authors of any existing inline gadgets are not able to modify them in any way.

As with anything, I think Google is being naive if they feel they are absolutely invincible against hackers. Somehow, someway….there is always a crack in the door. To promise otherwise seems to be offering something that can’t be backed up. And in my opinion, Google’s in enough privacy hot water right now as it is to be making claims they can’t fully support. Do they need to refer back to the lawsuits they have going on right now right here in the US over Street View to give them a not so gentle reminder of that fact? Or maybe the battles going on in the UK? Regardless, when it comes to gadgets…many feel it’s a big….No No Google Gadget.

Via [SFGate]

Print Friendly