Phishing with Google Wave

Phishing is usually be categorized under social engineering rather than a technical hack. It is inherently about tricking the user to click a link, or visit a web page. However, if the victim is tricked into visiting the phished page, even while they are on a genuine site should be a cause of concern. Since the victim did not initiate to move to the phished page, they are caught off guard.

This post is about a possible attack on Google Wave which could at the least disrupt the wave experience, if not steal the credentials. This attack is similar to the one on Orkut Opensocial that I had published earlier. I am sure someone somewhere would have already figured this out, but I chose to post this anyway since I got some time off FlashPlus, my Google Chrome extension.
The hack can be done by anyone anonymously and on public waves.
  1. Create a phished Google Login page. You could check out tackle.
  2. Search for public waves
  3. Reply to one of the messages, insert a gadget in your reply
  4. The gadget sets the top.location to the phished page.
  5. The victim now visits the wave and opens this unread wave
  6. The gadget kicks in, redirects the user to a phished page
  7. Since the victim was still inside and browsing wave, they may not suspect a phished page. They may think that they were simply logged out.
The following video shows these steps.

A couple of ways to anonymize the attacker could be
  • Make the gadget to set top.location after a window.setTimeout, instead of doing it immediately.
  • Do not redirect all users. Redirect them if a certain cookie is not set. If a cookie is set, they were already phished.
  • Create anonymous accounts on Gmail, host gadget and phished page using Google Gadget Editor on iGoogle. This shows the wave URL on a domain, something that's more believable.
  • Submit credentials from the phished page to a form created using Google spreadsheets.
I am not sure how harmful this hack can get. I have pinged a friend a Google about this.