PaulDotCom mailing list archives

Google Wave

From: gameman.pdcmail at myworkarea.net (gameman733)
Date: Wed, 18 Nov 2009 23:43:03 -0500

Assuming its allowed, I'll be more than happy to help any way I can. Just
shoot me an e-mail or catch me on IRC. The one attack vector I had mentioned
was purely theoretical, however it does raise the issue of whether or not
there is any kind of security mechanisms in a wave. Being able to
collaboratively add widgets or gadgets or whatever they want to call them is
nice, but could cause so many problems.

-----Original Message-----
From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Michael Douglas
Sent: Wednesday, November 18, 2009 8:18 PM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Google Wave

I *just* got my invite a few days ago.  (thanks again Mr. Operator!)

I think there's much potential here... both for good and ill.  What's
most impressive to me though is just how well it works considering how
young this is.

I'm looking into the ToS for wave and am trying to see if kicking the
tires and doing some poking and prodding -- you know attack research
-- is allowed.  If it is, I think there could be a wealth of research.

I'm going to be busy to pretty much the end of the year... but if
someone wants to assist with wave attacks and such then, by all means
let me know.



- Mick


On Tue, Nov 17, 2009 at 12:22 AM, gameman733
<gameman.pdcmail at myworkarea.net> wrote:

Just got a Google Wave invite yesterday and got to sit down and play with

it

a bit today. I was wondering if anyone else on the list has had a chance

to

do anything with it. Right off the top of my head, I see a couple things
that could make things interesting if Google has their way with Wave.



One of the extensions that have been made is a basic html code inserter,

so

you can insert HTML code directly into a Wave. Obviously only people you
trust should be added to any particular wave, but one of Google's examples
at the developer's preview was using a wave for blog comments. I haven't
tried anything like it just yet, but if you have a wave that anyone can
contribute to, what's stopping someone from contributing this html

extension

with some malicious (or even annoying) code in it. It seems to me like it
would defeat the purpose of some of the html stripping/encoding mechanisms
on popular webapps.



Has anyone else had a chance to look into Google Wave at all?

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Google Wave gameman733 (Nov 16)
- <Possible follow-ups>
- Google Wave subzer0girl (Nov 18)
  - Google Wave Karl Schuttler (Nov 18)
  - Google Wave iamnowonmai (Nov 18)
- Google Wave Michael Douglas (Nov 18)
  - Google Wave Jason Wood (Nov 18)
  - Google Wave gameman733 (Nov 18)
  - Message not available
    - Google Wave Chris Teodorski (Nov 19)
  - Message not available
    - Google Wave Jack Daniel (Nov 19)
    - Google Wave Dave (Nov 19)
    - Google Wave Jason Jones (Nov 19)
    - Google Wave Troy May (Nov 19)
    - Google Wave Scott Webster (Nov 19)
    - Google Wave byte.bucket at 4a44.com (Nov 19)
    - Google Wave byte.bucket at 4a44.com (Nov 19)
- Google Wave onaser525 at gmail.com (Nov 19)
- Google Wave onaser525 at gmail.com (Nov 19)