Blog
May 3, 2010
Malicious Google Gadgets in Action
Malicious Google Gadgets in Action Video – by Offensive Security
OffSec Team
1 min read
A new report by emgent shows malicious Google Gadgets in action. The real vulnerability lies in the ability of a malicious user to add their own Gadgets on a separate domain space, without Google’s authorization.
The attack variant shown in the movie can be altered to steal cookies, run arbitrary JavaScript on victim machines, and could be further weaponized to create Malicious Google Gadget worms.
When researching this topic, we found references to similar vulnerabilities which date back to 2007, reported by Tom Stracener and Robert Hansen.
Although the Google infrastructure has changed since 2007, it seems that this new variant of attack is still possible. Emgent’s email to Google over a month ago was unanswered. The solution ? Extra vigilance on your side. Check our demo movie.
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!
Latest from OffSec
Research & Tutorials
CVE-2024-13059: Exploiting Path Traversal in AnythingLLM for Remote Code Execution
Discover CVE-2024-13059, a critical vulnerability flat that affects AnythingLLM’s handling of ASCII filenames in the multer library.
Apr 17, 2025
2 min read
Enterprise Security
How OSCP Holders Can Lead Their Teams to Greater Cybersecurity Resilience
Champion OSCP training in your organization to build a unified, resilient security team.
Apr 11, 2025
6 min read
Research & Tutorials
CVE-2024-57727: Path Traversal Vulnerability in SimpleHelp Web Application
CVE-2024-57727 lets attackers read sensitive files via path traversal in SimpleHelp. Learn more about how attackers exploit this flaw.
Apr 10, 2025
3 min read