Forum Moderators: phranque
One of the biggest problems with the so-called Web 2.0 movement has been its encouragement of oversharing — which often means underestimating security risks. Adding doodads of varying quality to a home page can add a lot of pizazz, but can also be fraught with danger, since they can open a door for hackers.
It's a threat even for the biggest Web companies, including Google Inc., whose "gadgets" — little programs like calendars or daily photo feeds that users can implant onto their personalized Google home pages — are increasingly juicy targets for hackers, two security researchers said Wednesday.It's not that Google is designing insecure programs.The issue is that users building their own customized applications, and distributing them through Google, might have evil intentions and try to exploit those programs once they're installed on users' pages. Many users are inclined to inherently trust what they download from Google.
The issue is that users building their own customized applications, and distributing them through Google, might have evil intentions and try to exploit those programs once they're installed on users' pages. Many users are inclined to inherently trust what they download from Google.
Google may have to change their motto to, "Don't be evil...or work with programmers with nefarious intentions to cause harm through homepage plug-ins."
Does this mean we should all switch to Cuil? Heh.
[informationweek.com...]
Gadgets can be used for JavaScript and HTML injection, Web site defacement, data poisoning, content and gateway spoofing, surveillance and spyware, exposure and theft of data, gmalware (DDoS, cookie theft, zombies), worms, and coercive functionality.
Additionally...
Hansen said that four years ago, he found a Web redirection vulnerability that was being actively used by phishers. He alerted Google, eBay, DoubleClick, and Visa. Visa closed the hole in hours. DoubleClick had a partial fix in place in days. It took eBay several weeks to fix the problem. But Google still hasn't fixed all the vulnerabilities.
Google didn't seem to take the matter too seriously yet didn't offer any explanation.
Same info recently released at Register.
"Google is and will be and always has been vulnerable," Robert Hansen, CEO of secTheory, told a standing-room-only audience at the Defcon security conference in Las Vegas. "They haven't been open with consumers. Ultimately, this all comes down the the fact that they just want to track you guys."
Google representatives didn't respond to an email requesting comment for this story. They told the Associated Press that the company regularly scans gadgets for malicious code, and in the "very rare" occasions bad applications are found, they are immediately quarantined.The speakers took strong exception to Google's claim. They've had several proof-of-concept gadgets hosted for months on Google, and so far they've never been removed, they said.
I suspect the problem is the XP generation - people who have only ever seen Microsoft's highly restricted façade rather than the computer itself. They feel let down if somehow they are allowed to do something that harms their computing experience.
Someone needs to get the message out that computers are not automatic entertainment and surfing systems, they are computers - machines which compute. What the machine computes is entirely your responsibility to define.
Someone needs to get the message out that computers are not automatic entertainment and surfing systems, they are computers - machines which compute.
I cannot see Michael Dell taking that one on board. ;)
The major manufacturers tend to promote computers as automatic entertainment and surfing systems.
Some common sense is required but I actually I do believe that the general public are entitled to expect that companies like Google would not put their machines at risk with anything they offer for download.
And in all that time the PUBLIC is John Q Dumb. Remains so to this day. Giggle allows the gadgets, Giggle should be responsible for how the gadgets work.
We hold everybody else's toes to the fire if they )(*& up. Why not Giggle?
This is more about users not being responsible for their own computers.
User responsibility is to use common sense and to keep your software up to date, not open email from people you don't know that can infect your machine, and not visit a web page even after being warned it may have malware.
This is beyond that, this is when a trusted company named Google is not taking responsibility for making sure the tools it provides to the sheep that trust Google are secure and can't cause harm to it's customers.
What will you do when your McAfee SiteAdvisor stops you from going to Google with a warning that "This site is known to contain Malware or links to sites with Malware"?
Wouldn't that be a hoot!
If you are worried about the gadget, just use the ones Google makes; they have many quality ones.
If you are worried about the gadget, just use the ones Google makes; they have many quality ones.
I think you're missing the issue entirely.
The general public is unaware of any potential threat so they aren't capable of making informed decisions in this matter since they trust Google and would assume anything posted on Google Gadgets would also be trustworthy.
The general public is unaware of any potential threat so they aren't capable of making informed decisions in this matter since they trust Google and would assume anything posted on Google Gadgets would also be trustworthy.
What would you suggest then? Google isn't going to waste their time manually reviewing each gadget, especially since most gadgets are completely editable. People can complain all they want but I'm sure Google has considered this issue and the number of "evil" gadgets is too small to worry about.
Sorry, I'm siding with the hackers on this one.
Maybe I need to pay my adwords bill securely. See? Money well spent.
PS
I noticed that if someone goes to casino and other junk sites from the office, the attacks increase ten-fold.
and in the "very rare" occasions bad applications are found, they are immediately quarantined.
Once again, I ask you all what you believe Google should do about it that's reasonable? The general public has the IQ of an armchair and is more likely to acquire spyware/malware surfing the web for 30 seconds than staying on iGoogle all day.
Google should not have to hold everyone's hand when it comes to offering some useful gadgets. "Be careful, there's a very slight chance something bad could happen! In fact, just stay off the web altogether and you'll be safe!"
Google should not have to hold everyone's hand when it comes to offering some useful gadgets. "Be careful, there's a very slight chance something bad could happen! In fact, just stay off the web altogether and you'll be safe!"
If Google puts their name on it, or allows it to be distributed under their name, they are responsible. Why not be proactive and CHECK the products before making them available? It won't take too many of these bad gadgets to change the way John Q Public thinks about Google...and that will turn and bite 'em.
Yes, the user has a responsibility, but the user also has an expectation of warranty or use BASED ON THE PROVIDER... and last I looked, Goggle Gadgets come from Google.
Why not be proactive and CHECK the products before making them available? It won't take too many of these bad gadgets to change the way John Q Public thinks about Google...and that will turn and bite 'em.
Most gadgets are external code...so if Google reviews them and they pass, the next day the provider can change the code and throw on adware. Google would have to check thousands of gadgets every day, probably multiple times a day.
I don't know how Google handles Gadgets, but I'd like to think that new submissions or updates are put in a similar sandbox and only those that Google gives their own seal of approval gets put on the site, that adhoc changes aren't possible.
If that's the case, I think I'd be reasonably satisfied.
Google isn't going to waste their time manually reviewing each gadget
Well I would hope that this is exactly what they do! They are responsible for what they are offering.
As I posted earlier, they even say that they do.
They [Google] told the Associated Press that the company regularly scans gadgets for malicious code, and in the "very rare" occasions bad applications are found, they are immediately quarantined.
Defcon say that they were angry at Google's claims because they have had several proof-of-concept gadgets hosted for months on Google, and so far they've never been removed.
If Google can't police the 3rd party Google Gadgets then they should take them off the site.
It's really that simple.
only those that Google gives their own seal of approval gets put on the site, that adhoc changes aren't possible.
Once again, 80% of the gadgets are iframes and redirects to external sites hosting the gadgets. There is no way Google can keep tabs on every gadget since they are externally hosted and can be changed instantly.
It IS Google's responsibility. End of story. If Google makes it MY responsibility to make sure there is no funny business happening on my webpages; if they GO SO FAR AS TO PUNISH ME when they find "malicious material" present on my sites...then they OWE IT TO ME to be 100% safe in every conceivable way.
There is no reason you can give me which I will accept a contrarian opinion. I expect from Google only what they expect from me; though by every imaginable metric I should expect more from them than they have a right to expect from me.
This "size as protection against minor faults" theory is no good:
Once again, 80% of the gadgets are iframes and redirects to external sites hosting the gadgets. There is no way Google can keep tabs on every gadget since they are externally hosted and can be changed instantly.
Someone needs to get the message out that computers are not automatic entertainment and surfing systems, they are computers - machines which compute. What the machine computes is entirely your responsibility to define.
I think virtually everyone has that understanding -- I doubt that John Q. Public/Dumb is about to start asking Google for money because they downloaded a virus and need to get their computer wiped or repaired. Ultimately, when it comes time to pay the piper for the mistakes and malware, we are all responsible for our own machines. The issue is that by positioning themselves as the industry leader Google has de facto responsbility. Should MS stop publishing updates and service packs?
Most gadgets are external code...so if Google reviews them and they pass, the next day the provider can change the code and throw on adware. Google would have to check thousands of gadgets every day, probably multiple times a day.
My goodness, if Google can index the web every 24 hours (millions of pages) they can certainly check a few KNOWN (1,000s) gadgets!
I say let 'em do nothing...and when the Fit Hits the Shan let 'em reap the reward of lost customers. After all Live and Yahoo become beneficiaries of a Google "do nothing" mentality.
I think virtually everyone has that understanding -- I doubt that John Q. Public/Dumb is about to start asking Google for money because they downloaded a virus and need to get their computer wiped or repaired. Ultimately, when it comes time to pay the piper for the mistakes and malware, we are all responsible for our own machines.
Exactly. When your computer tech (John Q Public's) tells you "Google did it. Might do it again. Here's your bill for $500." John Q will get the message to stay away from Google. John Q only needs to get burned once, no more than twice to get that message.
The NAME of the APP that caused the problem is GOOGLE GADGET SOMETHING or other. John Q can remember that!
My goodness, if Google can index the web every 24 hours (millions of pages) they can certainly check a few KNOWN (1,000s) gadgets!
Big difference between an indexing bot and a real person who manually reviews. The total Google gadget count is I believe around 25,000 and growing.
"Google did it. Might do it again. Here's your bill for $500."
A framed or externally launched site will not be linked to Google. The computer tech will give the external sites address. Whether John Q. Public has the knowledge to say "Well, I added this shifty looking gadget recently and now my computer is acting up" is up in the air.
While we're at it, might as well punish Google for ever displaying a malware site in their search results as well.
While we're at it, might as well punish Google for ever displaying a malware site in their search results as well.
Good idea!
Not only that, they should be punished if they allow software footprint queries to locate vulnerable sites!
The hackers actually use (or did use) Google to locate software that may be vulnerable and for some reason one of my sites was coming up in response to PhotoCart software footprint queries. My site was under heavy attack botnet attack for 2 weeks thanks to Google simply listing my site under that search result. Once I figured out what the problem was and where the data was coming from (Google) there was a flurry of emails back and forth and quite a bit of badgering before they did something about it.
Finally Google caved and restricted the search results for that software footprint and suddenly the attack on my site ended, but it shouldn't take that much cajoling just to get something so simple done to end a full scale attack.
FWIW, Google is much better about it these days but at the time Live was (and still is) one of the best SE's when it comes to filtering out software footprint queries to stop their services from being used to launch those types of attacks.
Yahoo on the other hand, seems like they could care less, and if I remember correctly they gave some glib response about how their search results are used not being their problem.
Just thought I'd throw it all out there to give a balanced view of the various responses.
OK, back to the topic of gadgets ;)
I wonder if something like McAfee Site Advisor or any of the AV products would even fire off a warning about a bad gadget before it was too late?
[edited by: incrediBILL at 8:35 pm (utc) on Aug. 11, 2008]
A framed or externally launched site will not be linked to Google. The computer tech will give the external sites address. Whether John Q. Public has the knowledge to say "Well, I added this shifty looking gadget recently and now my computer is acting up" is up in the air.
When John Q asks "How'd I get there? I've never been to that site?" the answer will be "Came through an iframe created by a Goggle Gadget."
John Q's next question will be "What is an iframe and how do I kill it? I don't want iframes ever again!"
John Q, not understanding the nature of the beast will get an unsatisfying answer to that question...which leaves him with only one recourse...no more Gadgets, and maybe no more Google because they let it happen.
And this is just the kind of thing that will make the six o'clock news IF a substantial exploit is ever delivered via Gadgets sponsored by Google.
Google is just big enough these days it won't be long before their press will change from good guys to corporate nogoodnicks. Happens to every company that gets big...sooner or later.
And, I suspect, some enterprising virus checking company will eventually offer an option to not only block popups and javascript, but iFrames as well--in the interest of security.
Won't bother me, I don't use iframes...but many do...
While we're at it, might as well punish Google for ever displaying a malware site in their search results as well.
If they have enough knowledge and personnel to impose restrictions and sanctions on virtually any website -- at least as far as their SERPS go, which in effect kills any site not big enough to generate significant levels of direct traffic -- then maybe they should refocus their efforts and actually follow their Don't Be Evil motto.
If malicious infusion of my computer continues as it is, getting worse every year, it wont be long before I just stop using the net.
As for blaming the consumer, You do not have to go to porn, gambling or other sites to get properly shafted.
I spend so much time now fixing viruses that I am almost over all of it.
