Hackers exploit widget security holes

Powered by SC Magazine

New attacks that exploit widgets and gadgets are imminent, according to the latest Web Security Trends Report from Finjan.

Widgets are small applets that usually run in a web browser or on the desktop and provide a specific function such as weather reports or stock updates.

The technology is used as a way to personalise a desktop or webpage to provide the information users want.

Finjan's Malicious Code Research Centre has studied changing trends in attacks used by hackers to gain information or control of a user's PC.

Following current trends, the company's researchers predict that the increasing use of widgets is exposing computer users to a whole host of attacks.

All types of widget environments, including operating systems, third-party applications and web widgets, have inadequate security models that could allow malicious widgets to run.

The potential scale of the problem is highlighted by the fact that there are already around 3,720 widgets already available on Google, 3,197 on Apple and 3,959 on Facebook.

The Finjan research suggests that attacks that exploit the insecurities of widgets are imminent, and that a revised security model should be explored to protect users.

"As widgets become common in most modern computing environments their significance from a security standpoint rises," said Yuval Ben-Itzhak, chief technology officer at Finjan.

"Vulnerabilities in widgets and gadgets enable attackers to gain control of user machines, and should be developed with security in mind.

"This attack vector could have a major impact on the industry, exposing corporations to new security considerations that need to be dealt with."

Finjan recommends that users refrain from using non-trusted third party widgets, just as they would do with full blown applications.

Extra caution should also be taken when using interactive widgets that rely on external feeds such as RSS which may be susceptible to attacks that exploit this trust by piggybacking a malicious payload on such data.

Copyright ©v3.co.uk

Hackers exploit widget security holes
Top Stories
Myer CIO named retailer's new chief executive
Richard Umbers to lead data-driven retail strategy.
Empty terminals and mountains of data
Qantas CIO Luc Hennekens says no-one is safe from digital disruption.
BoQ takes $10m hit on Salesforce CRM
Regulatory hurdles end cloud pilot.
Sign up to receive iTnews email bulletins
Latest Comments
Who do you trust most to protect your private data?

   |   View results
Your bank
Your insurance company
A technology company (Google, Facebook et al)
Your telco, ISP or utility
A retailer (Coles, Woolworths et al)
A Federal Government agency (ATO, Centrelink etc)
An Australian law enforcement agency (AFP, ASIO et al)
A State Government agency (Health dept, etc)

Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
I DON'T support shutting the OAIC.