Ask the Expert

Are desktop gadgets a target for hackers?

What are the security risks associated with desktop gadget and widget applications?

    Requires Free Membership to View

Client-side Web applications, such as Yahoo Widgets or Google Gadgets, are currently all the rage. Windows Vista's new sidebar, for example, hosts and supports the use of these mini-applications, suggesting that they will be around for some time.

For anyone who hasn't come across them, they are typically self-contained applications that display information often pulled from a remote source. Gadgets, for example, can report the latest weather and real-time stock prices. Some also display local or system information, including laptop battery levels and "To Do" lists.

Throughout the rest of this article, I shall refer to all varieties as gadgets.

These applications have a runtime environment directly built on a Web browser. They're commonly written in scripting languages such as JavaScript, but they can also be written in languages such as C++. Since widgets are client-side applications, which run on the user's machine and not a remote server, they can have access to system data via application programming interface (API) functions. Many of them also support the XMLHttpRequest object, which allows asynchronous data requests over HTTP. These features make the gadgets more like small desktop programs rather than the more familiar plug-ins and applets.

If you recall, Java applets run in a sandboxed environment, allowing a user to run untrusted code safely, since such conditions impose strict controls on what a program can and cannot do. Gadgets, however, face no such restraints. This means that hackers can disguise gadgets as spyware, which could monitor keystrokes or install other malicious software. Attackers could then capture confidential data and send it to a remote system. Gadgets must be particularly appealing to hackers since their support for JavaScript allows the opportunity for cross-platform attacks.

At this early stage in their evolution, you need to exercise a degree of caution when deciding to install a gadget. As the use of gadgets becomes more widespread, hackers will quickly take advantage of them and use them to attack. I would only install gadgets that you know come from reputable sources or are digitally signed. A digitally signed gadget verifies an author's authenticity.

For system administrators, I would seriously consider whether to allow the use of these gadgets. I haven't yet seen any that provide must-have functionality. Some organizations use them to provide constant updates to employees on enterprise data, such as sales levels or support call waiting times. While this type of gadget certainly offers some benefits, I would want to know whether the gadget displays reliable data, doesn't burden the network and is compliant with e-discovery regulations.

More information:

  • In the new Data Protection Security School, Perry Carpenter explains which e-disovery and storage processes are often overlooked.
  • With so many vulnerabilities in client-side applications, it's important to keep an eye on RSS readers as well. Ed Skoudis explains.
  • This was first published in May 2007