Assuming its allowed, I'll be more than happy to help any way I can. Just shoot me an e-mail or catch me on IRC. The one attack vector I had mentioned was purely theoretical, however it does raise the issue of whether or not there is any kind of security mechanisms in a wave. Being able to collaboratively add widgets or gadgets or whatever they want to call them is nice, but could cause so many problems.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Douglas Sent: Wednesday, November 18, 2009 8:18 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Google Wave I *just* got my invite a few days ago. (thanks again Mr. Operator!) I think there's much potential here... both for good and ill. What's most impressive to me though is just how well it works considering how young this is. I'm looking into the ToS for wave and am trying to see if kicking the tires and doing some poking and prodding -- you know attack research -- is allowed. If it is, I think there could be a wealth of research. I'm going to be busy to pretty much the end of the year... but if someone wants to assist with wave attacks and such then, by all means let me know. - Mick On Tue, Nov 17, 2009 at 12:22 AM, gameman733 <[email protected]> wrote: > Just got a Google Wave invite yesterday and got to sit down and play with it > a bit today. I was wondering if anyone else on the list has had a chance to > do anything with it. Right off the top of my head, I see a couple things > that could make things interesting if Google has their way with Wave. > > > > One of the extensions that have been made is a basic html code inserter, so > you can insert HTML code directly into a Wave. Obviously only people you > trust should be added to any particular wave, but one of Google's examples > at the developer's preview was using a wave for blog comments. I haven't > tried anything like it just yet, but if you have a wave that anyone can > contribute to, what's stopping someone from contributing this html extension > with some malicious (or even annoying) code in it. It seems to me like it > would defeat the purpose of some of the html stripping/encoding mechanisms > on popular webapps. > > > > Has anyone else had a chance to look into Google Wave at all? > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
