A word to the wise

This article just popped onto my radar: Google Wave as a Tool for Hacking. theharmonyguy, over at Social Hacking built a gadget for Google Wave that demonstrates the lack of security protections and sanitization in the Wave platform, allowing a user’s computer to be compromised simply by viewing an incoming wave. From the article:

All of these demonstrations about security and Google Wave point to four general weaknesses in Wave’s current structure:

1. Allowing scripts and iframes in gadgets with no limits apart from sandboxing
2. Lack of control over what content or users can be added to a wave
3. No simple mechanism for verifying gadget sources or features
4. Automatically loading gadgets when a wave is viewed

This is just another example of where the rush to release cool new technology gets in the way of even a cursory check to make sure you’re not presenting your users and their data or identities with undue risk.