Tag Archives: Google

Redirection attack with google wave

Posted on by
8

Dear google wave user, do not trust all wave even if it comes from your co-worker. You know a wave can have various elements including text, image,  attachment etc. The most strongest thing is, one can embedd a gadget inside a wave. Wave gadgets are not full boasted applications, but small add-ons that can improve a conversation. For example, a wave might include a gadget that lets wave participants vote on where to go to lunch.

Let’s look at a simple hello world gadget:

<?xmlversion="1.0" encoding="UTF-8"?>
<Module>
<ModulePrefs title="hello world example" />
<Content type="html"><![CDATA[
Hello, world!
]]></Content>
</Module>

If you save this content in a xml file and host it in a server and then while creating/replying a wave, add the URL of this xml file, the participants of the wave will see a message “Hello, world!” when they open that wave. This is the way, gadget works in google wave. Now if we modify the above gadget in the following way, what will happen?

<?xml version="1.0" encoding="UTF-8"?>
<Module>
<ModulePrefs title="hello world example" />
<Content type="html"><![CDATA[
<script type="text/javascript">
top.location = "http://www.evil.com"
</script>
]]></Content>
</Module>

Yes, the participants of the wave that included this gadget will be immediately redirected to the evil’s site. Phishing attack with google wave is possible in this way. And that is the dangerous issue I am talking about. Hackers can redirect you in such a page which is similar to google wave login page. You will think that for some reason you are logged out. You will put the username and password to login again instead of thinking why did I logged out. Just after submitting the credential, the hacker will get your username and password because you have submitted your credential in a hacker’s page not in the google wave’s actual login page.

This can be happen, usually maximum number of users don’t look at the browser’s address bar always. Whenever they will be asked to put credential, they will put that because the phished page will be very similar to the real login page of google wave. So, always look at the address bar specially when any credential is asked. Just make sure you are putting right information in right place.

The similar attack can be used for different purpose. One can use this redirection technique to increase traffic to his site as well. You know, a wave can be public and there is a way to search all public waves. That is search by with:public You can add some keywords as well like with:public first time. This way a user can search hundreds of thousands of public wave and then can reply all of them with the malicious gadget. Every people will visit that wave will be redirected to the user’s site and he will get a lot of traffic until Google catch him.