Google Gadget Login Forms = Not Good

If you're not familiar with iGoogle (www.google.com/ig), it's a Google service that allows you to create customizable home pages by including gadgets that were contributed by the user community. These gadgets do anything from display the weather to providing news or stock reports. There are even mini Flash games you can play.

This seems harmless enough, but Google's gadget security model gave user-created (and therefore untrusted) gadgets access to your data at Google like gmail, Google docs, etc. I brought up some concerns with this model at the OWASP conference in San Jose a few years ago. Since then, Google has updated their security model to remove some of the more blatant weaknesses.

Recently, I came across a particular gadget created by the user community. It provides a login form that looks like this:



This gadget uses JavaScript to open an iframe to the eTrade mobile login form:

function display() { var destination_url = "https://wireless.etrade.com/etrade"; var html = '<iframe id="iframed_iframe_id" name="iframed_iframe" border="0" src="%27%20+%20destination_url%20+%20%27" marginwidth="0" marginheight="0" width="100%" frameborder="0" height="' + _gadget_height_pref + 'px"></iframe>'; ...

So, users of this gadget are allowing their login form for eTrade to be controlled by some random bozo on the Internet. The author of this gadget could update it at any time to change https://wireless.etrade.com/etrade to https://reallyevilphishingsite.com/etrade and the user wouldn't notice a thing.

Now, is it really Google's responsibility to prevent users from using gadgets like this? I say it is. Phishing attacks come down to an issue of education and trust. A user that knows to check the location bar of their browser, look for the lock icon, and so on may still fall for a phishing attack that comes from Google. After all, the location bar says "https://www.google.com/ig", the certificate is correct, and the lock icon is right where it should be. If Google wants to host user-provided content, they should prevent gadget writers from abusing users' trust in the Google name.

2 comments:

Casey said...

Interesting presentation...

Does Google now validate the code changes for Malicious content when hosted?

Tom Stripling said...

Google has some kind of approval process for new gadgets before they will be listed in the directory, but you can create and upload a gadget without any approval whatsoever. You would just need to advertise its location yourself. I very much doubt they subject gadgets to any kind of rigorous security testing during approval anyway.

Of course, a patient attacker would just create a legitimate gadget, gather a large number of users, and then slip malicious code into the gadget with an update. Users aren't notified when updates occur and wouldn't notice a thing.

Post a Comment