Is it just me, or does the pharese “adding third party gadgets to gmail” cry security vulnerability? I’ve read this posting from hackaddict, and it made me curious: just what can you do from a Google Gadget?
A little googling around (no pun intended :-)) lead me to this presentation: Xploiting Google Gadgets: Gmalware and beyond (warning, PDF!). After reading it and doing my own poking around, here are the conclusions:
- As with almost every gadget/widget type service, you have to include a JS snippet on your page, meaning that you have to trust the provider (Google in this case).
- This JS generates an IFRAME and the 3rd party content is hosted in the IFRAME (using the gmodules.com domain). This stops it from interacting with your page, however it does not stop gadgets from interacting with eachother. This means that one malicious gadget may compromise other gadgets on the same page.
- The Google Gadgets API gives access to some of the users information by design to promote “social” use of the gadgets.
My conclusion is: if possible avoid adding third-party JS to sites. Also, Google had the possibility to do a better job of securing the system, and they didn’t, which is a shame… One obvious thing which they could have done is to register a multitude of domains (gmodules0001.com, gmodules0002.com, …) and from the embed script give each module a separate domain, which would reduce their ability to communicate between themselves dramatically.