The most devastating is the ability of Google gadgets to immediately redirect victims who log into iGoogle.com to a page under the control of an attacker. This creates a phishing hazard, particularly for less tech-savvy users who don’t know to check the browser bar. Even if they do, the bar shows up at gmodules.com, an address many mistakenly believe is safe because it is maintained by Google. ( Source )
They said that
Google gadgets make other attacks possible, including: the ability to:
- carry out port scanning on a victim’s internal network to conduct surveillance
- use cross-site request forgery techniques to force victim PCs to follow links to malicious sites (for instance, those that host child pornography) and
- cause a victim’s browser to access a home router and change domain name system server addresses or other sensitive settings. ( Source )
Although Hansen CEO of secTheory and Stracener acknowledged that in-the-wild attacks that use Google gadgets are rare, but they said that’s likely to change. I believed that Google response to this matter should be address as soon as possible.
Well I rarely use Google Gadget 🙂