Friday, August 8, 2008

Phishers target Google Lively

Google's new social networking platform is under attack.

Google recently deployed its own social networking platform, called Google Lively, which has come under the phisher's radar.

Google Lively, currently in Beta stage, is similar to another application called Second Life, by Linden Labs. Lively is even being referred to as the “Second Life killer”.

Google Lively users can embed the application into their Web sites using Google widgets, just as YouTube videos can be embedded into a blog, MySpace or Facebook account. From there they can create their own “room” for site visitors to chat/socialise in. Google Lively allows for customisable characters and personal rooms.

The problem comes in when users have to authenticate themselves to the application, you can literally log in to Google Lively from a completely anonymous site hosting the content.

As you can imagine, this brings about serious issues; an attacker could easily imitate a login screen for Google Lively and embed an object that just stores the username and password.

Similar to a phishing attack, the user will be tricked into giving over their confidential information. It seems possible that the application may intercept the information and then forward the login details to the legitimate application, so from here the user wouldn't even know their account details have been stolen. The end-user would be clueless to what has just taken place.

The application download is a mere 469Kb file. From there the application will initialise and install.

Due to the fact that there was much hype about hacking Second Life, such as Michael Thumann's excellent talk on hacking Second Life, this definitely makes us think we will see a lot of interest in 'hacking' Google Lively.

Not to mention the amount of information that can be acquired through utilising the application for, let's say, ‘interesting' purposes.

It is highly recommended that a separate Google account be used for Google Lively activity. This would minimise risk, simply because if a password is stolen, the potential damage will be minimal to the end-user.

In addition to using a separate account, it advised that South African users watch out for illegitimate Web sites, e-mails and links specifically pertaining to Google Lively.

An attacker could easily imitate a login screen for Google Lively and embed an object that just stores the username and password.
Google is concerned about security and has obviously drafted up several Web sites providing users with information on several attacks.

They have said the following in response to the security speculation: “Sadly, phishing schemes and other malicious attempts to steal identities are rampant on the Web today. Lively is always working to improve site security and warns users of phishing attempts, but we feel that the Google Accounts system is safe and secure. Always be cautious when entering any username and password that you may have - being aware is your best protection!”

Google has also provided a few safety tips on how not to fall victim to these attacks. These include advising users to be on the lookout for “phishy” e-mails, which contain generic greetings like "Attention Lively Member" or "Dear lucky user", targeted specifically for room owners (ie, "We're conducting a survey of Lively room creators...").

These may contain links to Web sites that look exactly like lively sign-in pages. They have also described several techniques and methodologies to subscribers that hackers would utilise, such as forged “From” headers in the e-mail.

Judging by the amount of people that still fall victim to phishing attacks, more needs to be done than telling users to check for forged headers. More can be read from here: http://www.lively.com/help/bin/answer.py?answer=98980&topic=15053 .

With more local users utilising Google services, it is more than just the fact that you can login to Google Lively from any anonymous Web site. There are several very important aspects to be concerned about in terms of the potential damage that could be caused. This definitely leaves a great amount of worries and concerns for the end-user. We can definitely expect to see some sort of attack against Google Lively in the not too distant future.

2 comments:

Rob said...

This was a very thorough and detailed post about Lively's security issues. I'm glad more blogs are covering these topics as it's very important.

I couldn't agree more that the Lively login should use a unique Lively user ID and not just your Google ID/email. Even when/if they change that, they still have the issue of phishers trying to get your Lively ID which could cause trouble when/if the time comes when Lively has some type of economy. Then users "Google Lively" money will be a target for these phishers.

Charlie said...

Thanks Rob, yeah I think we will definitely see some interesting attacks once the Google-lively economy starts to grow.

Hopefully Google will come up with some better security for the application.