wave hijacking

13 views
Skip to first unread message

Bart Thate

unread,
Feb 10, 2010, 11:03:48 AM2/10/10
to Google Wave API
Hello wavers and more hello Google Team,

Today a gadget was inserted into a public wave of mine, which directed
me on joining the wave to the following page:

http://hosting.gmodules.com/ig/gadgets/file/100726510508187623906/wave.html

this page is a phishing login page of google wave which upon
registration logs stuff in a spreadsheet. The effect is that i cannot
enter the wave as it instantly directs me to the html page, so i
cannot even remove the thing ;]

Obviously we need some stricter level of security in waves, now i wish
i had something like +v in waves, so people can add txt but not insert
gadgets etc.

The wave is at:

https://wave.google.com/wave/#restored:wave:googlewave.com!w%252BRvJRnrZkBZi

Greetings,

Bart

eyalzh

unread,
Feb 10, 2010, 11:19:11 AM2/10/10
to google-...@googlegroups.com
Try to block googleusercontent.com temporarily in your browser / hosts file etc.
Then enter the wave and remove the gadget.

To view the wave structure you can use antimatter15's wave reader:
http://antimatter15.com/misc/read/?googlewave.com!w%252BRvJRnrZkBZi

Hope this helps,
Eyal.


--
You received this message because you are subscribed to the Google Groups "Google Wave API" group.
To post to this group, send email to google-...@googlegroups.com.
To unsubscribe from this group, send email to google-wave-a...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-wave-api?hl=en.


Bart Thate

unread,
Feb 10, 2010, 11:23:52 AM2/10/10
to google-...@googlegroups.com
On Wed, Feb 10, 2010 at 5:19 PM, eyalzh <eya...@gmail.com> wrote:

Hoi Eyal ;]

> Try to block googleusercontent.com temporarily in your browser / hosts file
> etc.
> Then enter the wave and remove the gadget.
>
> To view the wave structure you can use antimatter15's wave reader:
> http://antimatter15.com/misc/read/?googlewave.com!w%252BRvJRnrZkBZi
>
> Hope this helps,
> Eyal.
>

Its not that i can save this wave, i demonstrates a deeper underlying
problem, that is the lack of a permissions system that allows the
owner to determine what participants can and cannot do.

Bart

Ronald C.F. Antony

unread,
Feb 10, 2010, 11:50:20 AM2/10/10
to google-...@googlegroups.com, Ronald C.F. Antony
On 10 Feb 2010, at 11:23, Bart Thate wrote:

> Its not that i can save this wave, i demonstrates a deeper underlying
> problem, that is the lack of a permissions system that allows the
> owner to determine what participants can and cannot do.

And for that matter, the creator/owner's ability to remove something out of a wave as if it had never existed in the first place, or has that ability been snuck in below my radar?
Last I checked there was no permanent removal, so if you'd do a history playback you might still end up there again...

There have been discussions here before on the type of security levels, which allow moderated threads, cooperative threads, etc. which exhibit different mechanisms of control over access and deletion.

The issue of things embedded in Waves is one that is disturbing, however, in much the same way as html e-mail: the moment you have "rich" content, it allows for masquerading of things as things they aren't, and thus for all sorts of social engineering approaches for hacking and phishing.

I would thus also much prefer that when I create a wave I can specify that it must be plain-text only, just like I avoid HTML e-mail like the plague. Allowing specific content should have to be a conscious, deliberate choice. It should also be possible for the wave creator to decide the set of gadgets, bots, etc. that are permissible in a wave, because with these things proliferating, you will at some point be hard pressed to know what they do and where your information goes behind your back.

Ronald

Bart Thate

unread,
Feb 10, 2010, 11:59:05 AM2/10/10
to google-...@googlegroups.com

Well one thing i know from my IRC days is that its best to put the
power into the owner hands and NOT distribute this power to other
participants as you will get the old take-over days all over again.

Bart

Ronald C.F. Antony

unread,
Feb 10, 2010, 12:27:54 PM2/10/10
to google-...@googlegroups.com, Ronald C.F. Antony
On 10 Feb 2010, at 11:59, Bart Thate wrote:

> Well one thing i know from my IRC days is that its best to put the
> power into the owner hands and NOT distribute this power to other
> participants as you will get the old take-over days all over again.

It all depends. Waves between friends, in a corporate settings, in a semi-public or public environment etc. are all different.

If Wave is going to supplant e-mail, and I have a one-on-one with my girlfriend, it should have different semantics than when Wave supplants a mailing list on e.g. VW engine repair issues.

It is because Wave can potentially replace E-mail, IRC, IM, BBS, collaborative workflow software, Wiki, etc. that it needs a more differentiated approach, because these various currently used tools have each different assumptions of trust, and all of them have to be mappable into Wave. And that's the challenge.

So by default, all the power should be with the creator. But there need to be mechanisms to relax control, and there need to be mechanisms to assign trust levels to certain users, such e.g. in the above girlfriend scenario, I don't have to explicitly give her all sorts of permissions each time a start a new wave with her.

Maybe one way of dealing with this is that e.g. adding users to a wave is only possible if that new addition has the same or higher assigned trust level with the creator of the wave.

Example: I trust my buddy, my girlfriend, but not her sneaky room mate. So I start a new wave with my buddy. He adds my girlfriend to the wave, which works, because she has the same or higher trust level assigned in my list of contacts as he has. She wants to add her room mate, and that will trigger a permission request to me, because now the entire conversation (according to the weakest link theory) will degrade in trustability.

The question is, will my buddy have to agree to having the room mate added, too, or can I simply rule yes, because I started the wave?

I guess in a collaborative setting like the above example, he should be asked, too, unless she's already on the appropriate trust level in his list of contacts.

I more structured Wave, there should be something like an admin/owner. So either we need to have different wave types we instantiate, or we need a mechanism to alter the type of the Wave e.g. based on the number of participants, whether or not it's a public wave, etc.

The tricky part is, it not only has to do what we need and be secure, it also has to be easy to understand, because the best mechanisms are useless if they are so complicated that people don't use them properly.

Maybe Google should come up with a plan for all this access control stuff, deletion issues, etc. and have list dedicated to discussing it? I don't want to clutter the list here with these rather vague ideas in a vacuum of knowledge of Google's plans. On the other hand, I do think these things need to be addressed, because in some ways Wave is woefully inadequate in these regards as it stands now.

Ronald

Bart Thate

unread,
Feb 10, 2010, 12:41:21 PM2/10/10
to google-...@googlegroups.com
On Wed, Feb 10, 2010 at 6:27 PM, Ronald C.F. Antony
<ronald...@gmail.com> wrote:
> On 10 Feb 2010, at 11:59, Bart Thate wrote:
>
>> Well one thing i know from my IRC days is that its best to put the
>> power into the owner hands and NOT distribute this power to other
>> participants as you will get the old take-over days all over again.
>
> It all depends. Waves between friends, in a corporate settings, in a semi-public or public environment etc. are all different.
>
> If Wave is going to supplant e-mail, and I have a one-on-one with my girlfriend, it should have different semantics than when Wave supplants a mailing list on e.g. VW engine repair issues.
>
> It is because Wave can potentially replace E-mail, IRC, IM, BBS, collaborative workflow software, Wiki, etc. that it needs a more differentiated approach, because these various currently used tools have each different assumptions of trust, and all of them have to be mappable into Wave. And that's the challenge.
>
> So by default, all the power should be with the creator. But there need to be mechanisms to relax control, and there need to be mechanisms to assign trust levels to certain users, such e.g. in the above girlfriend scenario, I don't have to explicitly give her all sorts of permissions each time a start a new wave with her.

What i ment is that the power to give permissions should be with the
owner. Ofcourse you need to be able to allow participants certain
actions, put don't distribute the power to give these permissions (the
+o in IRC terms)

>
> Maybe one way of dealing with this is that e.g. adding users to a wave is only possible if that new addition has the same or higher assigned trust level with the creator of the wave.
>
> Example: I trust my buddy, my girlfriend, but not her sneaky room mate. So I start a new wave with my buddy. He adds my girlfriend to the wave, which works, because she has the same or higher trust level assigned in my list of contacts as he has. She wants to add her room mate, and that will trigger a permission request to me, because now the entire conversation (according to the weakest link theory) will degrade in trustability.
>
> The question is, will my buddy have to agree to having the room mate added, too, or can I simply rule yes, because I started the wave?
>
> I guess in a collaborative setting like the above example, he should be asked, too, unless she's already on the appropriate trust level in his list of contacts.
>
> I more structured Wave, there should be something like an admin/owner. So either we need to have different wave types we instantiate, or we need a mechanism to alter the type of the Wave e.g. based on the number of participants, whether or not it's a public wave, etc.
>

This gets complicated ;]


> The tricky part is, it not only has to do what we need and be secure, it also has to be easy to understand, because the best mechanisms are useless if they are so complicated that people don't use them properly.
>
> Maybe Google should come up with a plan for all this access control stuff, deletion issues, etc. and have list dedicated to discussing it? I don't want to clutter the list here with these rather vague ideas in a vacuum of knowledge of Google's plans. On the other hand, I do think these things need to be addressed, because in some ways Wave is woefully inadequate in these regards as it stands now.

I dont think discussing this here is a problem as its so related to
where wave is heading esp. what the new API will implement. The lack
of knowledge of Google's plans is problematic i think as its pretty
much black box for us until we have the new API code.

Bart

Austin Chau

unread,
Feb 10, 2010, 6:08:01 PM2/10/10
to Google Wave API
thanks for bringing this to our attention. We have filed this
internally and I have give that issue a knock to give it some
priority, as soon as we hear back we will update this thread. Thanks!

Austin

On Feb 10, 8:03 am, Bart Thate <bth...@gmail.com> wrote:
> Hello wavers and more hello Google Team,
>
> Today a gadget was inserted into a public wave of mine, which directed
> me on joining the wave to the following page:
>

> http://hosting.gmodules.com/ig/gadgets/file/100726510508187623906/wav...


>
> this page is a phishing login page of google wave which upon
> registration logs stuff in a spreadsheet. The effect is that i cannot
> enter the wave as it instantly directs me to the html page, so i
> cannot even remove the thing ;]
>
> Obviously we need some stricter level of security in waves, now i wish
> i had something like +v in waves, so people can add txt but not insert
> gadgets etc.
>
> The wave is at:
>

> https://wave.google.com/wave/#restored:wave:googlewave.com!w%252BRvJR...
>
> Greetings,
>
> Bart

Stephen Gigante

unread,
Feb 10, 2010, 8:11:40 PM2/10/10
to google-...@googlegroups.com
Doesn't the gadget, and the page it redirects to, violate the google Terms of Serivce?
I'm not sure whether the person who added said gadget is violating any ToS, although if they also own said gadget, I'd be surprised if they weren't.

While it may not be possible to remove the gadget from playback, removing it from the gmodules webserver should stop the (ex-)gadget from resolving.

In the mean time, I'd suggest using noscript to disallow certain actions by any gmodules.com pages.

 - Stephen

>
> Greetings,
>
> Bart

Brian May

unread,
Feb 10, 2010, 8:45:13 PM2/10/10
to google-...@googlegroups.com
On 11 February 2010 04:27, Ronald C.F. Antony <ronald...@gmail.com> wrote:
> Example: I trust my buddy, my girlfriend, but not her sneaky room mate. So I start a new wave with my buddy. He adds my girlfriend to the wave, which works, because she has the same or higher trust level assigned in my list of contacts as he has. She wants to add her room mate, and that will trigger a permission request to me, because now the entire conversation (according to the weakest link theory) will degrade in trustability.

Perhaps a bad example. In this case it would be easy for your
girlfriend to show the wave to her room mate and nobody need ever
know.
--
Brian May <br...@microcomaustralia.com.au>

david b

unread,
Feb 12, 2010, 10:27:13 AM2/12/10
to Google Wave API
I have the same issue i posted a spreadsheet gadget here
http://spreadsheet.happinessbeats.com
I created a public wave to demonstrate it, now when you open the wave
It is redirected to the same url on gmodules,
The wave id is: googlewave.com!w%2BtT2SoEjHB

Any advise as to what is the right way to handle this situation will
be helpful,

Thanks,

David

On Feb 10, 11:03 am, Bart Thate <bth...@gmail.com> wrote:
> Hello wavers and more hello Google Team,
>
> Today a gadget was inserted into a public wave of mine, which directed
> me on joining the wave to the following page:
>

> http://hosting.gmodules.com/ig/gadgets/file/100726510508187623906/wav...
>
> this page is aphishinglogin page of google wave which upon


> registration logs stuff in a spreadsheet. The effect is that i cannot
> enter the wave as it instantly directs me to the html page, so i
> cannot even remove the thing ;]
>
> Obviously we need some stricter level of security in waves, now i wish
> i had something like +v in waves, so people can add txt but not insert
> gadgets etc.
>
> The wave is at:
>

> https://wave.google.com/wave/#restored:wave:googlewave.com!w%252BRvJR...
>
> Greetings,
>
> Bart

Reply all
Reply to author
Forward
0 new messages