Oct. 27, 2009

Posted by in Google | 2 comments

Cross-Gadget Security in Google Wave

While examining the behavior of gadgets in Google Wave, I noticed another potential security problem in addition to the ones I’d already listed. Each gadget is loaded in a container iframe with a domain separate from the main page, preventing access to the DOM of the Wave interface itself.

However, I also noticed that the container iframes for all of the gadgets I tested used the same domain. That allows one gadget to access the DOM of another gadget. Pictured below is a test gadget that generates an alert displaying the HTML source of the first gadget in the wave, in this case a Yes/No/Maybe gadget from Google.

A test gadget accessing the DOM of another gadget in Google Wave.

A test gadget accessing the DOM of another gadget in Google Wave.

What’s the danger in this sort of cross-gadget access? Consider that people have already created gadgets for accessing your Facebook and Twitter via gadgets. Granted, most of those gadgets have used iframes which load other sites, and thus cross-domain rules would prevent any data breaches. Also, one Twitter gadget I tried actually loaded using its own container URI instead of the standard Google server. But as developers continue to publish more powerful gadgets, cross-gadget access poses some serious risks for CSRF and data theft.

  1. Thanks for the post. As with other Google technology, Google Wave was carefully designed with security in mind from the start and has undergone in-depth security reviews. However, Google Wave is still in an early preview stage, and we are continuing to develop and refine the security model in advance of broader release. Handling permissions is under active development. Stay tuned!

    Also, feel free to contact us directly at security@google.com in the future. More info on reporting security issues to Google is available here: http://www.google.com/intl/en/corporate/security.html.

    — The Google Wave Team

  2. Can you elaborate on the security flaw here? I am not able to understand..

Trackbacks/Pingbacks

  1. Tweets that mention Cross-Gadget Security in Google Wave | Social Hacking -- Topsy.com - [...] This post was mentioned on Twitter by theharmonyguy and David shajari, SocialMediaSecurity. SocialMediaSecurity said: Cross-Gadget Security in Google Wave ...
  2. Why I Started Hacking Google Wave | Social Hacking - [...] I posted concerns over security in Google Wave, several responses came (including one from Google) emphasizing that Wave was ...
  3. Social Media Security » Why I Started Hacking Google Wave - [...] I posted concerns over security in Google Wave, several responses came (including one from Google) emphasizing that Wave was ...

Leave a Reply