Tuesday 3 November 2009

White Hat Hackers Already Testing Google Wave



The above screenshot shows an actual gadget inside a Wave that was created by White Hat Hacker Harmony.
Imagine the possibilities of connecting Facebook with Google Wave. You could post information to your Facebook profile right from within Wave, or connect wave participants to Facebook profiles. If you came across this gadget in a wave you were viewing, wouldn’t you love to at least try it out?
There’s just one problem. The above gadget is fake. Not the screenshot, mind you  Harmony has created the gadget but nothing will happen when you try to connect.
And in this case, truly nothing will happen, since the gadget is designed to be harmless, but I imagine many users would fall prey to such a trick, which could be easily adapted for phishing attacks.
Ask yourself honestly, would you have tried to login? More importantly, if you came across such a gadget in a wave, how would you know whether it came from me, a legitimate developer, facebook.com, or a malicious host?
I post all this to raise a broader point than simply “beware of phishing attacks.” The balance between security and usability is a constant struggle for developers.
Yet we all need to be concerned by the patterns we are training users to be accustomed to, remember most people now access Facebook from their place of work, this will in all probability also be the case with the future of Google Wave. (Above case in point: chromeless gadgets within a wave that provide no indication of source).
In some ways I almost feel that Google Wave is recreating the web browser. Browsers are applications that can load any sort of web page. Google Wave is an application that can load all sorts of web pages within waves. Yet many of the features developed for browsers to warn a user of insecure sites or phishing attacks (even as basic as the address bar, which shows the current domain) are not replicated when a user loads a gadget in Wave.
Many have described Wave as a reinvention of e-mail. Reinventing a technology can be very beneficial, but let’s not forget lessons learned in the old technology – there’s a reason most e-mail clients don’t allow iframes and JavaScript, for instance.
I’m certainly not the first to raise these concerns; others have previously mentioned the danger of login forms on iGoogle gadgets. Nor am I saying that I don’t want Google Wave to succeed. But if we’re going to reinvent a technology, let’s address some of these basic issues of user expectations, human nature and security precautions from the start.

No comments:

Post a Comment