The Inherent Insecurity of Widgets and Gadgets

Presented at DEF CON 15 (2007), Aug. 5, 2007, noon (50 minutes)

Widgets (or Gadgets) are small applications, which usually provide some kind of visual information or access to a frequently used function. Because widgets are in fact applications, they too can include malicious code. Furthermore, due to the simplicity of legitimate widgets, such as calculators and clocks, they are developed without security in mind. In this presentation, we will explain the three different types of widgets in detail. We will demonstrate proof of concept of a malicious widget for each of the types and also highlight the attack vectors for exploiting a vulnerable legitimate widget. Following the demonstrations, we will talk at a high-level about widgets integrated in mobile devices. We'll take a brief look at the Widgets 1.0 paper created by the W3C, and also talk about the similarity between widgets and browser extensions in terms of their inherent insecurity.

Presenters:

  • Iftach Ian Amit - Director of Security Research, Finjan
    Iftach Ian Amit: With over 10 years of experience in the information security industry, Iftach Ian brings a mixture of Software development, OS, Network and web security to Finjan as the Directory of Security Research. Prior to Finjan, Iftach was the founder and CTO of a security startup in the IDS/IPS arena and developed new techniques for attack interception. Prior to that, he served in a director position at Datavantage (NASDAQ:MCRS) with responsibility for software development, Information security as well designing and building a financial Datacenter. Prior to Datavantage, he managed the Internet application department at Comsec Consulting as well as the Unix Department, where he has been consulting to major banking and industry companies worldwide. Iftach Ian holds a Bachelors degree in Computer Science and Business Administration from the Interdisciplinary Center at Herzlya.
  • Aviv Raff - Security Researcher, Finjan
    Aviv Raff is a security researcher specializing in application vulnerabilities research, security product evasion techniques and malicious code analysis. He contributes to projects like Metasploit and Month of Browser Bugs. He is also a co-creator of several known browser fuzzers like Hamachi, CSS-Die and DOM-Hanoi. In his spare time, Aviv works as a security researcher at Finjan's Malicious Code Research Center (MCRC).

Links: