/ 9 August 2008

Google ‘gadgets’ called gateways for hackers

Hackers turned computer security specialists accuse Google of setting users up for online disasters by letting them personalise home pages with applications that could be tainted.

Software that hackers can trick people into installing on “iGoogle” home pages can track users’ activities and control their machines, said SecTheory chief executive Robert Hansen on Friday.

“I could force you to download child porn or send subversive material to China,” Hansen said. “The exploitation is almost limitless. Google has to fix it.”

Google lets people customise iGoogle home pages with mini-software programs called “gadgets” such as to-do lists, news feeds, currency converters, and calendars.

Hackers can program malicious code into proffered gadgets or break into systems hosted by engineers providing legitimate mini-programs.

“It turns out a lot of people who develop these things aren’t good at security,” Hansen said, citing research he and Cenzic security analyst Tom Stracener shared at a notorious annual DefCon hacker gathering in Las Vegas.

“We pretty much break into anything we try.”

Hackers can resort to a tactic of luring people to websites that trick people into installing applications in iGoogle home pages. A hacker can remotely control a victim’s computer as long as the iGoogle page is open.

Gmail users face danger from the same “hole” in security, according to Hansen, whose hacker name is “RSnake”.

“We’ve been telling Google about these vulnerabilities for years and they have not made corrective actions,” Hansen said.

“They chose to open the doors and insomuch put a lot of consumers at risk.”

Google says it checks gadgets for malicious code, rarely finding any, and that it removes tainted programs. – AFP