Get Ready For Google Gadget Malware

July 25, 2008 – 5:23 PM

“Gmalware” may be coming soon to your iGoogle page.

In two weeks, at the Black Hat Conference on Wednesday, Aug. 6, Cenzic senior security analyst Tom Stracener and security researcher Robert Hansen, better known as “RSnake,” plan to demonstrate a zero-day vulnerability that affects Google Gadgets.

“At the core of the talk is the concept of Gmalware, which is basically a malicious gadget,” said Stracener. “The idea is that gadgets are supported by the gmodule domain and security architecture. And with the current security architecture, it doesn’t protect individuals from malicious gadgets very well. Nor does it protect gadgets from one another.”

Google Gadgets, said Stracener, are vulnerable to information theft, deceptive practices, content spoofing, and authentication issues.

A Google Gadget, for example, can log you into an account without your knowledge and monitor your Google Search queries, Stracener explained. It can also be made to attack another Google Gadget and steal information.

No malicious Google Gadgets have been spotted in the wild yet. Once details about the vulnerabilities emerge, however, that may change.

Source:
http://www.informationweek.com/news/internet/google/showArticle.jhtml?articleID=209601064