I Thought i was Fooled When Google WAVE Was released On April 1 , After a day only i Fathom that Google Wave Service Exists ..Well Coming to tha Point ,Many security researchers and hackers are familiar with BeEF, a browser exploitation framework by Wade Alcorn. In short, BeEF is a program that brings together various types of code for taking advantage of known vulnerabilities in web browsers. If a target computer loads a certain bit of code within a web page, that code connects to a server control panel which can then execute certain attacks against the “zombie” machine.
After noting potential security issues with the gadgets in Google Wave, I set about to finally setup a BeEF testbed and see if Google Wave was as capable a platform for malware delivery.
The picture above shows the results. I successfully created a Google Wave gadget that creates a new BeEF zombie whenever someone views the wave. This does not allow for the keylogger function of BeEF, but I did send an alert dialog (as shown) and used the Chrome DoS function to crash the browser tab. (I could also detect that the zombie machine had Flash installed – imagine the possibilities of using Flash or PDF exploits in an auto-loaded gadget.)
What’s even more disconcerting is that BeEF can integrate with Metasploit to potentially take over a victim’s machine. I do not currently have Metasploit setup to test using Autopwn, but based on my experiences so far, I’m fairly confident such an attack would succeed.
All of these demonstrations about security and Google Wave point to four general weaknesses in Wave’s current structure:
After noting potential security issues with the gadgets in Google Wave, I set about to finally setup a BeEF testbed and see if Google Wave was as capable a platform for malware delivery.
Example of a BeEF zombie spawned via Google Wave
What’s even more disconcerting is that BeEF can integrate with Metasploit to potentially take over a victim’s machine. I do not currently have Metasploit setup to test using Autopwn, but based on my experiences so far, I’m fairly confident such an attack would succeed.
All of these demonstrations about security and Google Wave point to four general weaknesses in Wave’s current structure:
- Allowing scripts and iframes in gadgets with no limits apart from sandboxing
- Lack of control over what content or users can be added to a wave
- No simple mechanism for verifying gadget sources or features
- Automatically loading gadgets when a wave is viewed
