By sinha on 28, February, 2008 | Channel: Goog + Orkut

Hacking Google ChatBack widget

Last night, I enabled Google ChatBack and one of the readers, Raxit did an interesting hack. He took the source code, copied the ChatBack script/code and published that in his site.

Result?

It seems anybody can copy other’s widgets and have a “Chat with Ashish Sinha” widget installed on the site (see this example).

So what? Isn’t that true for any script that one installs on site/blog?

Well, it depends. It depends on what script are you playing with? Why? Because any porn site can host “Talk with Michael Arrington” widget..infact anybody can run a bot and harvest other’s GTalk id. Worst, any bot can collect the code across sites and start spamming !

I may not be techie enough to understand what can potentially go wrong, but one thing is for sure – GTalk id is my Google Account id and I wouldn’t want to take any sorts of risk for a service which is just not worth the associated spam.

I’d still prefer MeeboMe!

 

  • Related Articles

    1. Google Talk ChatBack or MeeboMe?
    2. Google Blunder: HTTP or hTTTp?
    3. What did Indians search in 2007? Google Zeitgeist says Orkut!
    4. 5 reasons why Google and Airtel sounds like a deadly combination
    5. Desktop search – Google vs. Microsoft
    • comment(s) on Hacking Google ChatBack widget

    7 Responses to Hacking Google ChatBack widget

    1. Patrick says:
      February 28, 2008 at 11:30 PM

      Well buddy – did I hear you say “Do not be evil”? :D

      Reply
    2. Raxit says:
      February 28, 2008 at 11:41 PM

      Hey,

      This is not hack, May be “Potential heavy misuse”

      I have informed google chatback team, with the link as PoC ! Let’s see what they comeup with !

      http://www.smartgunda.com/chatback.html
      http://www.smartgunda.com/chatbackmore.html

      -Raxit

      Reply
    3. Rajiv Renganathan says:
      February 29, 2008 at 10:47 PM

      The solution is simple but its just that “it has to be done”. The widget providers must publish the widget only if the user has authorised the url/domain that is requesting.

      - Rajiv

      Reply
    4. Raxit says:
      March 1, 2008 at 5:58 PM

      Rajiv,

      unfortunately google didn’t do it, :( ,

      i got reply from google chatback, that send them detail stuff. i send them the stuff + my contact info, no reply since then !!!

      -raxit

      Reply
    5. sridhar says:
      March 2, 2008 at 10:55 PM

      this is the source for your Meebo chat installed, this could again be misused the same way you said, so eventually even meebo and Gtalk isn’t safe.

      The only option is to verify with the URL!

      Reply
    6. Ashish says:
      March 3, 2008 at 1:21 PM

      @Sridhar – I know that even the same can be applied to any widget-based tool (mentioned that on the post as well).
      My qn is very basic – GTalk is linked to my Google account and GOogle needs to be lot more intelligent when it exposes such thngs.
      There should be a way to verify the URL (as you said) where you are publishing the code

      Reply
    7. Ben says:
      March 9, 2008 at 11:30 AM

      I like, http://www.hab.la as a Meebo ME Alternative, it’s JS based rather than Flash-based and has a lot more customizeability — if you don’t mind writing a little code.

      Reply