Comments on: First Impressions on Security in Google Wave

By: Cultural Heritage » Blog Archive » Google Wave and libraries: a snapshot

Mon, 04 Jan 2010 10:02:23 +0000

[...] Security concerns about Wave were raised and it seemed that a number of organisations’ ICT departments have reservations about the service. For example, Wave gadgets are applications that operate in Wave, allowing the embedding of code from non-trusted sources. As a result they are potentially vulnerable to cross-site scripting (XSS) threats. Google’s own “Yes/No/Maybe” gadget triggers a clickjacking warning when using NoScript because the gadget contains partially hidden elements. While not necessarily an issue in itself when the gadget in question is provided by a trusted source it does highlight the fact that a non-trusted source could create a gadget with hidden elements in order to pose a clickjacking threat to Wave users. For a general overview of security issues in Wave see here. [...]

By: Update: First Impressions on Security in Google Wave | Legal Technology Today

Wed, 09 Dec 2009 21:52:37 +0000

[...] via First Impressions on Security in Google Wave | Social Hacking. [...]

By: Google Wave – Security Risk, Fun Distraction, or Crime Solving Tool? | Applied Signs & Display Blog

Wed, 02 Dec 2009 11:43:50 +0000

[...] TheHarmonyGuy has highlighted what he believes to be some serious security gaps which could lead to social hacking or spamming becoming a problem for Google Wave users. [...]

By: mike wilson

mike wilson — Sat, 21 Nov 2009 03:49:40 +0000

Interesting analysis. While each individual vulnerability is not much of a concern (they may be addressed in future releases), put together they underline some serious weaknesses of the security model. I am more and more convinced that Google just created a glorified version of Facebook. I know that wiki type apps have their place but wherever you deal with a high risk you have to implement a role based model and Wave certainly is not. So, it may work for social networks where noone really thinks about security, but I doubt it will take off in an enterprise environment unless they change the security model (and the underlying architecture) in a significant way.

By: Social Media Security » Social Media Security Podcast 4 – Death by Twitter, Open Source Intelligence, Policies, Google Wave

Sat, 07 Nov 2009 22:39:26 +0000

[...] would we want to use this? What are some of the security issues with Google Wave? Check out the great research that theharmonyguy has been doing on Google [...]

By: theharmonyguy

theharmonyguy — Tue, 20 Oct 2009 19:27:10 +0000

@w3: Whitelisting is definitely not implemented yet, I tested the scenario that I describe of adding a user to contacts and a wave without permission. I do realize whitelisting is probably coming, but two points: (1) Why wasn’t such a basic feature it included to start with? (2) Where will such a technology fit in if it’s that closed?

@Erik: Funny you should mention e-mail clients – I was typing the next post when you commented, and basically made the same point. Thanks for the feedback.

By: Erik Mogensen

Erik Mogensen — Tue, 20 Oct 2009 19:02:41 +0000

These are all the same concerns that could be said for web based e-mail a few years ago, and indeed some fat e-mail clients with embedded browser components in them. Since they’re aiming at replacing e-mail (and a host of other forms of communication) they’re going to have to deal with all these problems at one point or another.

They can’t rely on the browser sandboxing, so they would have to create their very own sandbox, right in the browser. Whitelisting contacts as @w3 suggests won’t work, since an infection would spread virally if anyone in your network were infected.

By: w3

w3 — Tue, 20 Oct 2009 11:40:47 +0000

i thought whitelisting was soon coming to wave
it may already be in place – i dont know because i haven’t yet received a wave invite (and too lazy to google)

wave users will be able to select which people they want to collaborate with and place them on a whitelist of approved persons only those who are on the list will be able to contact you via wave and everyone else will be ignored

other than that a great article – very informative
i put this in my blog with my thoughts (credits included of course)

By: Tweets that mention First Impressions on Security in Google Wave | Social Hacking -- Topsy.com

Tue, 20 Oct 2009 02:47:55 +0000

[...] This post was mentioned on Twitter by theharmonyguy and Chris Almond, SocialMediaSecurity. SocialMediaSecurity said: First Impressions on Security in Google Wave http://bit.ly/3B3uy8 [...]