This post is about a possible attack on Google Wave which could at the least disrupt the wave experience, if not steal the credentials. This attack is similar to the one on Orkut Opensocial that I had published earlier. I am sure someone somewhere would have already figured this out, but I chose to post this anyway since I got some time off FlashPlus, my Google Chrome extension.
The hack can be done by anyone anonymously and on public waves.
- Create a phished Google Login page. You could check out tackle.
- Search for public waves
- Reply to one of the messages, insert a gadget in your reply
- The gadget sets the top.location to the phished page.
- The victim now visits the wave and opens this unread wave
- The gadget kicks in, redirects the user to a phished page
- Since the victim was still inside and browsing wave, they may not suspect a phished page. They may think that they were simply logged out.
A couple of ways to anonymize the attacker could be
- Make the gadget to set top.location after a window.setTimeout, instead of doing it immediately.
- Do not redirect all users. Redirect them if a certain cookie is not set. If a cookie is set, they were already phished.
- Create anonymous accounts on Gmail, host gadget and phished page using Google Gadget Editor on iGoogle. This shows the wave URL on a gmodules.com domain, something that's more believable.
- Submit credentials from the phished page to a form created using Google spreadsheets.