Oct. 26, 2009

Posted by in Google | 3 comments

Google Wave as a Tool for Hacking

Many security researchers are familiar with BeEF, a browser exploitation framework by Wade Alcorn. In short, BeEF is a program that brings together various types of code for taking advantage of known vulnerabilities in web browsers. If a target computer loads a certain bit of code within a web page, that code connects to a server control panel which can then execute certain attacks against the “zombie” machine.

After noting potential security issues with the gadgets in Google Wave, I set about to finally setup a BeEF testbed and see if Google Wave was as capable a platform for malware delivery as I suspected.

Example of a BeEF zombie spawned via Google Wave

Example of a BeEF zombie spawned via Google Wave

The picture above shows the results. I successfully created a Google Wave gadget that creates a new BeEF zombie whenever someone views the wave. This does not allow for the keylogger function of BeEF, but I did send an alert dialog (as shown) and used the Chrome DoS function to crash the browser tab. (I could also detect that the zombie machine had Flash installed – imagine the possibilities of using Flash or PDF exploits in an auto-loaded gadget.)

What’s even more disconcerting is that BeEF can integrate with Metasploit to potentially take over a victim’s machine. I do not currently have Metasploit setup to test using Autopwn, but based on my experiences so far, I’m fairly confident such an attack would succeed.

All of these demonstrations about security and Google Wave point to four general weaknesses in Wave’s current structure:

  1. Allowing scripts and iframes in gadgets with no limits apart from sandboxing
  2. Lack of control over what content or users can be added to a wave
  3. No simple mechanism for verifying gadget sources or features
  4. Automatically loading gadgets when a wave is viewed

Any one of these issues would be cause for concern, but taken together they present such alarming possibilities as a user getting their computer hacked simply by viewing a wave. Whatever may be said about Google Wave’s usefulness, I have to conclude that the product is not ready for prime time until these types of problems are addressed.

  1. Don’t you acknowledge that it is correct time to receive the mortgage loans, which will realize your dreams.

  2. Make your life time more easy get the business loans and everything you need.

  3. I’m grateful I discovered your blog on msn. Thanks for the sensible critique. Me and my wife had been just preparing to do some research in regards to this. I will be very happy to see this sort of good information getting shared freely out there.

Trackbacks/Pingbacks

  1. Tweets that mention Google Wave as a Tool for Hacking | Social Hacking -- Topsy.com - [...] This post was mentioned on Twitter by wanghongyang and theharmonyguy, Jeff Jarmoc. Jeff Jarmoc said: RT @secureideas: RT @theharmonyguy: ...
  2. Google Wave as a Tool for Hacking | The Edge of I-Hacked - [...] Social Hacking. Many security researchers are familiar with BeEF, a browser exploitation framework by Wade Alcorn. [...]
  3. uberVU - social comments - Social comments and analytics for this post... This post was mentioned on Twitter by theharmonyguy: New Post: Google Wave as a ...
  4. Google Wave as a Tool for Hacking | Social Hacking - [...] the whole story here: theharmonyguy aggregated by [...]
  5. New Gadgets | Google Wave as a Tool for Hacking | Social Hacking - [...] Original post by theharmonyguy [...]
  6. Interesting Information Security Bits for 10/27/2009 | Infosec Ramblings - [...] always, tools can be used for good or for evil. Google Wave as a Tool for Hacking | Social ...
  7. A word to the wise « Shift Research - [...] article just popped onto my radar:¬†Google Wave as a Tool for Hacking. The guys over at Social Hacking built ...
  8. Fresh From Twitter today | zu-web.de - [...] wave and web security : http://bit.ly/1Q2rO3 Surprise ! is has the same issue than mashup …1,127,479 views tells me ...
  9. Security in October: Google Wave, Facebook, XSS | .eduGuru - [...] has been busy testing Google Wave and Wave Gadgets (WG) and has discovered some interesting (read: scary) things. Gadgets ...
  10. h4×0r weekly « Fairweatherhero's Blog - [...] Of course this would happen. Google wave as a tool for hacking [...]

Leave a Reply