PhysOrg.com reports:
Software that hackers can trick people into installing on "iGoogle" home pages can track users' activities and control their machines, SecTheory chief executive Robert Hansen showed AFP on Friday. "I could force you to download child porn or send subversive material to China," Hansen said. "The exploitation is almost limitless. Google has to fix it."
Google lets people customize iGoogle home pages with mini-software programs called "gadgets" such as to-do lists, news feeds, currency converters, and calendars. Hackers can program malicious code into proffered gadgets or break into systems hosted by engineers providing legitimate mini-programs. "It turns out a lot of people who develop these things aren't good at security," Hansen said, citing research he and Cenzic security analyst Tom Stracener shared at a notorious annual DefCon hacker gathering in Las Vegas. "We pretty much break into anything we try."
Hackers can resort to a tactic of luring people to websites that trick people into installing applications in iGoogle home pages. A hacker can remotely control a victim's computer as long as the iGoogle page is open. Gmail users face danger from the same "hole" in security, according to Hansen, whose hacker name is "RSnake."
"We've been telling Google about these vulnerabilities for years and they have not made corrective actions," Hansen said. "They chose to open the doors and insomuch put a lot of consumers at risk." Google says it checks gadgets for malicious code, rarely finding any, and that it removes tainted programs.