VBSteven.be

In one of my previous posts about Google Wave I mentioned a security issue concerning gadgets. I decided to do a little more research on this subject and to do some experiments on some publicly available gadgets.

The issue

Before I get into detail about the issue, you need to know how Google Wave gadgets work. Gadgets are little pieces of html/javascript code that run inside of a wave. The state of a gadget is shared among every participant of the wave. Developers can access variables in this state by executing wave.getState().get(’name_of_variable’). To save or update variables into the state the following function exists. wave.getState().submitDelta({’name_of_variable’: value})

This last function is what bothers me about the way gadgets work. The wave server accepts any data that submitDelta passes on without any form of validation or authentication. As javascript is a clientside interpreted language that is executed inside of the browser, any user with the firebug extension (or some other debugging app/plugin) can alter that running code and manipulate these gadgets in ways that are not intended.

Some examples

Google Wave developer sandbox users should be familiar with the public “Wanna buy a wave t-shirt” wave. It is a wave to show of a simple counter gadget that is explained in the gadget api docs. the gadget has a button and a label. Every time the button is clicked the value in the label is incremented by one. The code for handling the buttonclick looks like this.

function buttonClicked() {
     var value = parseInt(wave.getState().get('count', '0'));
     wave.getState().submitDelta({'count': value + 1});
}

As you can see the code retrieves the current value of ‘count’ from the state, stores it in a variable ‘value’ and then pushes that value+1 back to the server with submitDelta(). To try something out I placed a breakpoint just before the new value was submitted back to the server, changed the value of ‘value’ to ‘99999′ and hit continue. As expected, the wave server accepted my altered value and pushed the new state to every user currently participating that wave.

In the gadget api docs there is an auction gadget available which demonstrates the use of wave participants. This gadget lets wave participants place bids. The gadget displays the name and picture of the highest bidder together with the amount. The bidding code looks like this.

    function buttonClicked() {
      var viewerId = wave.getViewer().getId();
      var state = wave.getState();
      var bid = parseInt(document.getElementById('yourBid').value);
      var currentBid = parseInt(state.get(viewerId, '0'));
      if (bid > currentBid) {
        delta = {};
        delta[viewerId] = bid;
        state.submitDelta(delta);
      }
    }

What I did here was : I placed a breakpoint after the viewerId was retrieved from the wave. This viewerId held my email address because I was the one viewing the gadget. I replaced this email-address with an address from another participant inside that wave and changed the value of the bid variable to 99999. After I hit continue to execute the remaining code, again my changes were accepted by the server and I had successfully placed a bid in someone else’s name. The updated state was once again pushed onto every wave participant’s gadget and they all got to see my victim’s name, picture and 99999 bidding amount.

Solution

What can developers do to prevent this abuse? Well, as long as we have no control over how the waveserver validates input received from submitDelta() there is not much we can do. If you really need serverside validation for your gadget then I think it is best to avoid the shared state and use an external server (on which you can execute validation code) to store your shared variables.

Some people may not consider this to be a security issue and will say it is just the way wave gadgets are supposed to work. As this may be true, I hope it’s not because this would limit the use of gadgets to fairly trivial appliances.

I have no idea what the Google Wave developers think of this. I am surely going to report this issue in the Google Wave issue tracker and keep you updated on the status.