Security in October: Google Wave, Facebook, XSS

By - Fri, Oct 30-->



Further support of what I mentioned in my presentation

In my Cross-site scripting presentation at #heweb09, I mentioned that a North Carolina State University report from Septembershowed that users clicked the “ok” button on message alerts 61% of the time, regardless of whether the message alert was legitimate or not.  From that I concluded that we could be reasonably certain that, as an attacker, we would have a 1 in 2 shot of tricking a victim into clicking an exploited link via email, IM, twitter, etc. A recent study from the Intrepidus Group (the company behind now confirms my hypothesis: the report concludes that 60% of people click the link contained in a phishing email within the first hour of receiving it.

In addition, a 2005 study (pdf) at Indian University concluded “…that Internet users may be over four times as likely to become victims if they are solicited by someone appearing to be a known acquaintance.” So what does this mean to us in Higher Education? Given that users are even more likely to be fooled by phishing attempts from “known acquaintances” on social networking sites, it means that we need to be very diligent in protecting our university accounts on those sites.  Don’t allow your admins to use frivolous applications on Facebook (see Hacked Facebook applications below), remove admins who are no longer active, and change your Facebook password frequently.


WordPress inadvertent disclosure bug

Turns out this one is actually a problem with Tiny MCE that WordPress uses as its WYSIWYG editor.  If you paste content into the Visual editor, Tiny MCE will create a second hidden (style=”overflow: hidden; position: absolute; left: -10000px;”) copy of your pasted contents.  The problem is that in some situations, Tiny MCE does not remove this hidden div when you publish.  This means that the ORIGINAL contents of what you pasted will be published as a hidden div on your published post.  Again, not the worst security issue, but could definitely cause issues if you pasted some content that you really didn’t want published.

(via Something Better to Do)

Hacked Facebook applications in the wild

Many have been saying it was only a matter of time, and it looks like that time is finally here.  Several facebook applications have been hacked and are directing users to download a fake update to an out-of-date version of the Adobe Reader from a Russian site.  Affected facebook applications (so far) include:

  • CityFireDepartment
  • MyGirlySpace
  • Ferrarifone
  • Mashpro
  • Mynameis
  • Pass-it-on
  • Fillinthe
  • Aquariumlife

Until the developers are able to correct the issues, stay clear of any of the above apps.  Also, it’s a good idea to not use ANY frivolous facebook applications if you are the admin of a university-owned page or group.


Google Wave Security Issues

The recent release of Google Wave invites over the last couple of weeks has spurred significant of interest in the Higher Ed community.  Those of us who were lucky to receive an invite have rushed out and started “waves” with others in the community.  As we being to utilize this tool more and more, many of us will begin to research and utilize the various plugins that are available.  In fact, if you were in on the “Google Wave in Higher Education” wave, you saw a gadget in action: the “Are You Coming?” gadget was used to poll who was planning on attending the EDUCAUSE Annual Conference. I bring this up because it appears that Google has been fairly lax, security-wise, in the way it currently allows gadgets to be created and used.

@theharmonyguy has been busy testing Google Wave and Wave Gadgets (WG) and has discovered some interesting (read: scary) things. Gadgets work by loading an iframe inside the Wave.  In their current form, Gadgets are allowed to not only load in an invisible state, but also launch javascript.  Scripts inside the gadget are not allowed to access the DOM of Google Wave, however, as he discovered, all gadget container iframes are loaded from the same domain and therefore, scripts from one gadget are able to access the DOM in another gadget.  Combine this with the fact that gadgets automatically load as soon as you open a wave AND you can be added to a wave as long as someone knows your wave account or gmail address.  What you now have is a perfect platform for phishing.

We all love new technology, especially those that allow us to communicate in new, more efficient ways.  But we need to remember that the attacks we are familiar with in “old” technologies follow along with us.  Hopefully Google will have all of this worked out before the official launch of Wave.  Until then, be leary of opening Waves from people you don’t know.

cc Security in October: Google Wave, Facebook, XSS photo credit: catatronic

This post was written by:

- who has written 2 posts on .eduGuru

9 Responses to “Security in October: Google Wave, Facebook, XSS”

  1. Says:

    Feels like I am the only one who doesn’t get the hype with Google Wave. I have an account, but I am pretty dissapointed with it so far.

  2. Says:

    I honestly haven’t been all that impressed with Google Wave yet either. It was great in theory though when I watched their initial demo video but of course they are still working all the bugs out. Also, it is kind of hard to test when you only get 8 invitations to send out. Hopefully Google will get it all figured out in the near future including the securitiy issues.

  3. Says:

    I definitely agree that Google Wave is a bit disappointing. I’m hoping that as more people in my own social networks get Wave I’ll start to see the practical uses come out. It does make me nervous how lax it seems Google Wave is with their gadgets, but maybe more security measures are being taken to moderate this sort of thing. I can just imagine when it goes public that public waves will be spammers heaven… I guess we’ll see though.

  4. Says:

    actually, i don’t like google wave and honestly haven’t been impressed at all. It has complex feature for social media and now after reading your article, i feel that google wave is vulnerable for attack using DOM access. I will think twice to use this service.

  5. Says:

    This is a fabulous web site, im delighted I came across this. Ill be back again later on to check out other posts that you have on your blog.

  6. Says:

  7. Says:

    Well Google is finally giving up on Wave (pity - I liked the name if nothing else) and everyone should know how open Facebook apps are by now.


  1. Security in October: Google Wave, Facebook, XSS | .eduGuru | ePortals --> says:

    [...] here: Security in October: Google Wave, Facebook, XSS | .eduGuru Share this on BlinklistShare this on del.icio.usDigg this!Share this on RedditBuzz up!Stumble upon [...]

  2. New And Used Car --> says:

    Facebook Hack…

    Hacking facebook is not to hard, there is a simple way…