PaulDotCom mailing list archives
Google Wave
From: gameman.pdcmail at myworkarea.net (gameman733)
Date: Wed, 18 Nov 2009 23:43:03 -0500
Assuming its allowed, I'll be more than happy to help any way I can. Just shoot me an e-mail or catch me on IRC. The one attack vector I had mentioned was purely theoretical, however it does raise the issue of whether or not there is any kind of security mechanisms in a wave. Being able to collaboratively add widgets or gadgets or whatever they want to call them is nice, but could cause so many problems. -----Original Message----- From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Michael Douglas Sent: Wednesday, November 18, 2009 8:18 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Google Wave I *just* got my invite a few days ago. (thanks again Mr. Operator!) I think there's much potential here... both for good and ill. What's most impressive to me though is just how well it works considering how young this is. I'm looking into the ToS for wave and am trying to see if kicking the tires and doing some poking and prodding -- you know attack research -- is allowed. If it is, I think there could be a wealth of research. I'm going to be busy to pretty much the end of the year... but if someone wants to assist with wave attacks and such then, by all means let me know. - Mick On Tue, Nov 17, 2009 at 12:22 AM, gameman733 <gameman.pdcmail at myworkarea.net> wrote:
Just got a Google Wave invite yesterday and got to sit down and play with
it
a bit today. I was wondering if anyone else on the list has had a chance
to
do anything with it. Right off the top of my head, I see a couple things that could make things interesting if Google has their way with Wave. One of the extensions that have been made is a basic html code inserter,
so
you can insert HTML code directly into a Wave. Obviously only people you trust should be added to any particular wave, but one of Google's examples at the developer's preview was using a wave for blog comments. I haven't tried anything like it just yet, but if you have a wave that anyone can contribute to, what's stopping someone from contributing this html
extension
with some malicious (or even annoying) code in it. It seems to me like it would defeat the purpose of some of the html stripping/encoding mechanisms on popular webapps. Has anyone else had a chance to look into Google Wave at all? _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Google Wave gameman733 (Nov 16)
- <Possible follow-ups>
- Google Wave subzer0girl (Nov 18)
- Google Wave Karl Schuttler (Nov 18)
- Google Wave iamnowonmai (Nov 18)
- Google Wave Michael Douglas (Nov 18)
- Google Wave Jason Wood (Nov 18)
- Google Wave gameman733 (Nov 18)
- Message not available
- Google Wave Chris Teodorski (Nov 19)
- Message not available
- Google Wave Jack Daniel (Nov 19)
- Google Wave Dave (Nov 19)
- Google Wave Jason Jones (Nov 19)
- Google Wave Troy May (Nov 19)
- Google Wave Scott Webster (Nov 19)
- Google Wave byte.bucket at 4a44.com (Nov 19)
- Google Wave byte.bucket at 4a44.com (Nov 19)