TECH.BLORGE.com
VISTA.BLORGE.com
MAC.BLORGE.com
GAMER.BLORGE.com

August 20, 2007 |

Researcher lambastes Google over Gadgets phishing flaw

By John Pospisil





Researcher lambastes Google over Gadgets phishing flaw Security researcher Robert Hansen has slammed Google over its response to an email he sent about a vulnerability that could allow hackers to use gmodules.com for phishing attacks. The domain is used by Google to host Google Gadgets.

Google Gadgets are small applications that can be placed on your desktop to show information such as new email, weather, time, photos and news.

According to Hansen, who is CEO of security consultancy SecTheory,  a XSS hole in Google Gadgets can be used by hackers to get around antiphishing fitlers, allowing them to create phishing sites on gmodules.com. Because gmodules.com is recognized as a safe site by filtering software, users will not be warned any security problems.

“So for anyone interested in exploiting this non-bug, they would tell people to add their own modules, which are hijacked, of course, allowing them to take over other people’s websites when they embedded the erroneous third party code,” wrote Hansen on his blog.

Hansen reported the problem to Google, but was dismayed by the response he received:

On further review, it turns out that this is not a bug, but instead the expected behavior of this domain. Javascript is a supported part of Google modules, as seen, for example, here: http://www.google.com/apis/maps/documentation/mapplets/#Hello_World_of_Mapplets. Since these modules reside on the gmodules.com domain instead of the Google domain, cross-domain protection stops them from being used to steal Google-specific cookies, etc. If you do find a way of executing this code from the context of a google.com domain, though, please let us know.

Hansen was stinging in his criticism.

“BZZZT! Wrong answer,” he wrote. ”On further review, Google needs to figure out what XSS is used for – it’s not just for credential theft. You couldn’t make this stuff up if you tried. Putting phishing sites on gmodules.com is apparently expected behavior.”

Google has been contacted for comment.

Related:

  • Photoshop flaw allows hackers to access your PC
  • New security flaw found in Yahoo! Messenger
  • Google urges developers to support both Windows and Mac OS X compatible gadgets
  • Windows Vista and Internet Explorer security flaw exposed
  • Mozilla does some spring cleaning on Firefox extensions, while anti-phishing flaw goes unpatched




    • Sign up for the BLORGE daily email newsletter

    Entry was posted on Monday, August 20th, 2007 at 11:49 am under Google, Security.

    Read more entries by John Pospisil.
    StumbleUpon Toolbar Stumble It!

    Leave a Reply:

    Copyright © 2008 Engaging and compelling blogs that entertain and inform