Oct. 19, 2009

Posted by in Google | 6 comments

First Impressions on Security in Google Wave

Nearly two years ago, many technology sites brimmed with hype over a new Google technology called OpenSocial. Bloggers questioned if OpenSocial would spell the end of Facebook. Amid all the discussion, I felt that many people were ignoring several serious issues regarding how OpenSocial would handle user data, privacy, and security. A few people brought up questions on this topic, but until an actual implementation hit the market, no one seemed completely sure how OpenSocial would work in practice.

When I heard that Plaxo had brought an OpenSocial framework online, I decided to check out its security for myself. That led to the first hack of an OpenSocial application, and my white-hat hacking hobby began. Admittedly, the “hack” came from poor coding practices on RockYou’s part, but highlighted the need for better authentication in OpenSocial, a problem corrected in later revisions. Still, the event was an inspiration, and led me to continue investigating my previous hacks of Facebook applications, which led to the more serious issues in this year’s FAXX hacks.

Memories of two years ago came back to mind yesterday when I received a Google Wave invite from a friend. Wave has received its share of hype, despite not being publicly available, though lately it’s drawn increasing criticism. Yet I’ve not seen many people explore the security or privacy implications of using the new platform. I decided to take advantage of the invite and start hacking Wave.

What I find was rather surprising, though not entirely unexpected. I’ve noticed several issues with the current version that could be exploited or create more serious problems in the future. Some will argue that bugs should be expected in early versions of a new product, and that future upgrades will improve the situation.  However, I would contend that some of the points raised here deal with basic aspects that should have been addressed from the very beginning. I would also add that I think Google overlooked an opportunity to add more social networking components to their system that could allow them to offer a stronger alternative to Facebook.

Anyway, here are a few of the problems with Google Wave I’ve noticed so far that I’ve not seen on several other lists of Wave criticisms:

  • Allowing iframes in waves. Creating a gadget that loads an iframe is a fairly trivial task. The iframe loads within a container iframe that separates it from the DOM for Wave itself. Still, one can load just about any page using such an iframe. This means that any attack requiring a user to load an infected page, such as my original demonstration of a FAXX hack, can be automated, since viewing the wave loads the iframe page. This can also be easily adapted to make POST requests for CSRF attacks.
  • Allowing invisible iframes in waves. Not only can a gadget include an iframe, it can style that iframe to be invisible, either hiding the attack from wave participants or to create a clickjacking attack within the gadget. Basically, while gadgets load in container iframes, they otherwise have free reign to include any HTML a coder desires. Note that allowing iframes could potentially let an attacker include code for finding browser exploits, which can then allow for malware delivery or even taking over a user’s system.
  • Allowing scripts in waves. Once again, the scripts execute in a container iframe, so one cannot simply wreak havoc with the main application DOM. But scripts do open up several possibilities. In fact, I’ve already created a wave that forwards users to a particular page as soon as they view the wave, since the script is loaded automatically when someone views the wave.
  • Allowing dynamic changes to gadgets. Google may argue that this problem is actually a feature. Essentially, a gadget is loaded dynamically from its source every time a wave is loaded. That means someone could insert an innocent-looking gadget into a wave, then the gadget owner could switch the gadget for a malicious one later on. In fact, since gadgets can be hosted anywhere, an included gadget could even be taken offline, taking away from one of Wave’s selling points (better preserving a record of communications).
  • Allowing gadget access to participant information. Currently, a gadget can only access basic identifying information about who participates in a wave and who is viewing the wave when the gadget loads. However, one can already note several indications that Google will likely expand this functionality to resemble a more complete OpenSocial implementation. As with Facebook applications, allowing such unfettered access for any gadget on initialization raises a number of concerns.
  • Not allowing users to be removed from a wave. I realize that since waves are shared among participants, removing users raises questions of who in the wave is authorized to make such decisions. Still, I find it a glaring oversight that the product includes no mechanism for removing a user whatsoever, especially considering that anyone can join a public wave.
  • Allowing users to add anyone to a wave without approval. If I know the Google account you use for Wave, I can add you as a contact and add you to a wave, which will then appear in your inbox. This all happens without any action on your part. And if I include a malicious gadget, you will load that gadget as soon as you click on the new wave to find out what it’s about.

Once again, many will argue that Google will eventually address these problems, and I certainly hope they do. But I find such oversights of basic security issues rather disconcerting. And while sites such as iGoogle have included “gadgets” with scripts for some time, Wave adds a new dimension in that such gadgets can be loaded with hardly any user interaction or approval.

One possible solution that people will raise is that Google can shut down accounts of known attackers or spammers, ensuring that each Wave user corresponds to a real person who will abide by certain rules, as Facebook has sought to do. But doesn’t this turn Google Wave into exactly the same kind of closed garden which Facebook’s critics have lambasted so often? Yet if Google is not the gatekeeper and opens up the system to users with Google accounts, what has Wave done to address spam and malicious attacks? In fact, as expounded above, if Wave is open to anyone, it provides a powerful new means for delivering malware and exploiting vulnerable users.

Again, I realize that Wave will probably include more privacy controls, such as who can add you to a wave without your permission. But if Google is not building such controls into the product to start with, how effective will they be when they do finally appear?

  1. i thought whitelisting was soon coming to wave
    it may already be in place – i dont know because i haven’t yet received a wave invite (and too lazy to google)

    wave users will be able to select which people they want to collaborate with and place them on a whitelist of approved persons only those who are on the list will be able to contact you via wave and everyone else will be ignored

    other than that a great article – very informative
    i put this in my blog with my thoughts (credits included of course)

  2. These are all the same concerns that could be said for web based e-mail a few years ago, and indeed some fat e-mail clients with embedded browser components in them. Since they’re aiming at replacing e-mail (and a host of other forms of communication) they’re going to have to deal with all these problems at one point or another.

    They can’t rely on the browser sandboxing, so they would have to create their very own sandbox, right in the browser. Whitelisting contacts as @w3 suggests won’t work, since an infection would spread virally if anyone in your network were infected.

  3. @w3: Whitelisting is definitely not implemented yet, I tested the scenario that I describe of adding a user to contacts and a wave without permission. I do realize whitelisting is probably coming, but two points: (1) Why wasn’t such a basic feature it included to start with? (2) Where will such a technology fit in if it’s that closed?

    @Erik: Funny you should mention e-mail clients – I was typing the next post when you commented, and basically made the same point. Thanks for the feedback.

  4. mike wilson says:

    Interesting analysis. While each individual vulnerability is not much of a concern (they may be addressed in future releases), put together they underline some serious weaknesses of the security model. I am more and more convinced that Google just created a glorified version of Facebook. I know that wiki type apps have their place but wherever you deal with a high risk you have to implement a role based model and Wave certainly is not. So, it may work for social networks where noone really thinks about security, but I doubt it will take off in an enterprise environment unless they change the security model (and the underlying architecture) in a significant way.

  5. I propose not to hold off until you earn big sum of cash to order goods! You can just take the loans or just student loan and feel free

  6. It is the ideal website for everybody who desires to learn more about this particular issue. I’ll bookmark your blog and also visit it frequently. I am extremely online surveys for money happy with your abilities.


  1. Tweets that mention First Impressions on Security in Google Wave | Social Hacking -- Topsy.com - [...] This post was mentioned on Twitter by theharmonyguy and Chris Almond, SocialMediaSecurity. SocialMediaSecurity said: First Impressions on Security in ...
  2. Social Media Security » Social Media Security Podcast 4 – Death by Twitter, Open Source Intelligence, Policies, Google Wave - [...] would we want to use this?  What are some of the security issues with Google Wave?  Check out the ...
  3. Google Wave – Security Risk, Fun Distraction, or Crime Solving Tool? | Applied Signs & Display Blog - [...] TheHarmonyGuy has highlighted what he believes to be some serious security gaps which could lead to social hacking or ...
  4. Update: First Impressions on Security in Google Wave | Legal Technology Today - [...] via First Impressions on Security in Google Wave | Social Hacking. [...]
  5. Cultural Heritage » Blog Archive » Google Wave and libraries: a snapshot - [...] Security concerns about Wave were raised and it seemed that a number of organisations’ ICT departments have reservations about ...

Leave a Reply