![Page 1: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/1.jpg)
August, 2007©2007 Finjan Software Ltd. All rights reserved.
The Inherent Insecurity of
Widgets and Gadgets
Aviv Raff
Iftach Ian Amit
![Page 2: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/2.jpg)
Who are we?
• Aviv Raff
• Security researcher at Finjan’s MCRC
• Iftach Ian Amit
• Director of security research at Finjan
![Page 3: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/3.jpg)
Introduction - Widgets?
• What is a widget?
• Widgets are small applications
• Provide visual information
• Provide access to a frequently used functions
• Hosted in an environment called a “Widget Engine”
![Page 4: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/4.jpg)
Introduction - Types of widgets
• Website widgets
• 3rd party application widgets
• OS integrated widgets
![Page 5: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/5.jpg)
General Issues - Malicious Widgets
• Widgets are applications
• Applications can include malicious code
• Hence, widgets can be malicious
![Page 6: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/6.jpg)
General Issues - Vulnerabilities
• Widgets are small applications
• Often considered too simple to represent a security threat
• Widgets are developed without security in mind
• Hence, widgets probably have security vulnerabilities
![Page 7: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/7.jpg)
General Issues - Attack vectors
• Downloadable malicious widgets
• Email attachments
• Vulnerable widgets
• Command injection
• Man in the middle attacks
• Browser vulnerabilities
• Vulnerable websites
• XSS
• CSRF
![Page 8: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/8.jpg)
General Issues - Impact
• Session/Account hijacking
• Remote denial-of-service
• Information leakage
• Personal
• Corporate
• Remote code execution
• Exploiting browser vulnerabilities
• Download and execute
![Page 9: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/9.jpg)
Web widgets - In the Wild
• Personalized Portals
• iGoogle
• Microsoft Live
• MyYahoo
• Blog systems
• WordPress
• TypePad
• Social networks
• MySpace
![Page 10: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/10.jpg)
Web widgets - iGoogle
• Personalized Portal
• Requires a Google Account
• Based on HTML and javascript
• JS API for widget developers
• Mobile support
![Page 11: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/11.jpg)
Web widgets - iGoogle - Malicious Widget
• Demo
![Page 12: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/12.jpg)
Web widgets – Vulnerable Widget
• Demo
![Page 13: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/13.jpg)
Widget Engines - 3rd party applications
• Yahoo widgets (Konfabulator)
• Google Desktop
• DesktopX
• Opera browser
![Page 14: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/14.jpg)
Widget Engines - Yahoo Widgets
• Previously known as Konfabulator
• Recently released version 4.0
• Based on HTML like Markup Language and javascript
• Some of the widgets require Yahoo
account
• Multiplatform API
![Page 15: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/15.jpg)
Widget Engines - Yahoo Malicious Widget
• Demo
![Page 16: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/16.jpg)
Widget Engines - Yahoo Vulnerable Widget
• Demo
![Page 17: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/17.jpg)
OS Widgets - Out-of-The-Box Engines
• Apple OSX
• Dashboard
• Windows Vista
• Sidebar
• Linux
• KDE / GNOME
![Page 18: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/18.jpg)
OS Widgets - Vista Sidebar
• Installed by default on all Windows Vista editions
• Allows installation of external widgets
• Uses Internet Explorer 7.0 for rendering
• DOES NOT utilize IE7 Protected Mode!
• JS API for widget developers
![Page 19: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/19.jpg)
OS Widgets - Vista Sidebar Malicious Widget
• Demo
![Page 20: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/20.jpg)
OS Widgets - Vista Sidebar Vulnerable Widget
• Demo
![Page 21: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/21.jpg)
Widgets on Mobile Devices
• iGoogle and Live.com provide mobile interface
• Different widgets display from the PC version
• Only some of the widgets are allowed to be added
• Attack vectors:
• Session/Account hijacking
• Exploit mobile browsers vulnerabilities
![Page 22: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/22.jpg)
Widgets and Browser Extensions
• Actually not a lot different
• Browser integration vs. OS/Engine/Site integration
• Firefox browser extensions
• Run in elevated privileges (Chrome)
• Firebug
• Internet Explorer ActiveX
• BHO
• OS ActiveX
![Page 23: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/23.jpg)
Solutions / Recommendations
• Digital Signing for Widgets
• Trust no one
• Do not install unofficial/unknown widgets
• If you don’t use, block it!
• Block .widget and .gadget files
• Use Widget 1.0 implemented solutions
![Page 24: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/24.jpg)
Solutions / Recommendations - Widgets 1.0
• W3C standard for widgets development• Last draft version from November 2006
• http://www.w3.org/TR/widgets/
• Object model based on Apple’s Dashboard
• Implemented in Opera browser widgets
• Strict security model:• No access to user’s file system
• Explicit declarations of protocol usage
• Explicit declarations of port usage
• Intranet IP range restrictions
![Page 25: The Inherent Insecurity of Widgets and Gadgets CON 15/DEF CON 15... · • iGoogle and Live.com provide mobile interface • Different widgets display from the PC version • Only](https://reader031.vdocuments.us/reader031/viewer/2022011912/5f9f0731808a9763ef23f9c2/html5/thumbnails/25.jpg)
Questions