Google Wave – Make your friends logout gadget

Fernando — Fri, 20 Nov 2009 04:04:14 +0000

Adding this gadget to any wave will make people log out when they see it:

The code:

Google Gadgets XSS (IE6/Opera)

Fernando — Sun, 25 Nov 2007 09:58:23 +0000

There is a recent discussion on ha.ckers.org regarding a possible CSRF that could allow an attacker to inject an evil gadget on someobdy else's iGoogle page. After checking the format of the xml file used to define the gadgets properties, I noticed a couple of attributes that could be used as point of injections to active content, the thumbnail and screenshot attribute. Only one of them is vulnerable, the screenshot attribute, by using a javascript URI as value you can execute active content on certain browsers such as IE6. This is a poc that shows an alert with the current document.domain value:

www.google.com/ig/adde?moduleurl=http://beford.org/stuff/ig.xml

I've just notified Google about this, to avoid been a target of this flaw you can switch to Mozilla Firefox (+Noscript), or upgrade to IE7, which is not an option for Windows 2000 users.

Update: According to a friend, Rafael, Opera users are vulnerable aswell, he sent me an screenshot which you can see here: Opera Google XSS.

Update 2: Google fixed this on 27 November.

stuff » xml

Google Wave – Make your friends logout gadget

Google Gadgets XSS (IE6/Opera)