'Google gadgets spread malware' !!

[ram]

Hi [you],

'Google gadgets spread malware'

One of the biggest problems with the so-called Web 2.0 movement has been its encouragement of oversharing --which often means underestimating security risks.

Adding doodads of varying quality to a home page can add a lot of pizazz, but can also be fraught with danger, since they can open a door for hackers.

It's a threat even for the biggest Web companies, including Google Inc, whose ``gadgets'' --little programmes like calendars or daily photo feeds that users can implant onto their personalised Google home pages --are increasingly becoming juicy targets for hackers, two security researchers said.

It's not that Google is designing insecure programs. The issue is that users building their own customised applications, and distributing them through Google, might have evil intentions and try to exploit those programs once they're installed on users' pages.

Many users are inclined to inherently trust what they download from Google.

Robert Hansen, chief executive of security consultant SecTheory, and Tom Stracener, senior security analyst with security testing software maker Cenzic Inc, demonstrated an attack at the Black Hat hacker conference in Las Vegas in which they used a malicious gadget to break into a person's Web browser and read their searches in real time.

[arun]

Google "gadgets" called gateways for hackers

LAS VEGAS, Nevada (AFP) - Hackers turned computer security specialists accuse Google of setting users up for online disasters by letting them personalize home pages with applications that could be tainted.

Software that hackers can trick people into installing on "iGoogle" home pages can track users' activities and control their machines, SecTheory chief executive Robert Hansen showed AFP on Friday.

"I could force you to download child porn or send subversive material to China," Hansen said. "The exploitation is almost limitless. Google has to fix it."

Google lets people customize iGoogle home pages with mini-software programs called "gadgets" such as to-do lists, news feeds, currency converters, and calendars.

Hackers can program malicious code into proffered gadgets or break into systems hosted by engineers providing legitimate mini-programs.

"It turns out a lot of people who develop these things aren't good at security," Hansen said, citing research he and Cenzic security analyst Tom Stracener shared at a notorious annual DefCon hacker gathering in Las Vegas.

"We pretty much break into anything we try."

Hackers can resort to a tactic of luring people to websites that trick people into installing applications in iGoogle home pages. A hacker can remotely control a victim's computer as long as the iGoogle page is open.

Gmail users face danger from the same "hole" in security, according to Hansen, whose hacker name is "RSnake."

"We've been telling Google about these vulnerabilities for years and they have not made corrective actions," Hansen said.

"They chose to open the doors and insomuch put a lot of consumers at risk."

Google says it checks gadgets for malicious code, rarely finding any, and that it removes tainted programs.

Source : Yahoo