Google+Facebook Extension Security Risk, Potential 'Malware'

 
 
By Fahmida Y. Rashid  |  Posted 2011-07-12
 
 
 

Even as users clamor to join the new Google+ social networking platform, not all of them are willing to leave behind Facebook, the other social networking site. The problem is, there's an application out there that lets them combine the two services but it may put users at risk.

Google+Facebook, a Web browser extension for Mozilla Firefox and Google Chrome, lets users see Facebook streams and update Facebook statuses while still within Google+. Developed by Israeli developer Crossrider, the extension has been well-received, exceeding over 100,000 downloads in one week.

However, the code may be insecure. Over on link-sharing message board Reddit, user RogueDarkJedi pointed out that Google+Facebook "acts like malware" and that it was a "security vulnerability waiting to happen."

Even Crossrider CEO Koby Menachemi acknowledged to Reuters "the product is not perfect" as it was written, tested and released in less than a day.

The main security risk comes from the fact that Google+Facebook downloads an external JavaScript file at every launch in order to work properly. Mozilla recommends against this practice as it puts all the extension's users at risk in the event the server hosting the file ever gets compromised.

Considering the recent rash of breaches by Anonymous and other cyber-attackers, it's not inconceivable that a malicious perpetrator can hack into Crossrider's servers and compromise the JavaScript file, causing all the users to wind up doing things more dangerous than putting Facebook status updates into Google+.

The app also changes search preferences to a site controlled by Crossrider and modifying the signature on e-mail messages sent from Gmail, Yahoo Mail, AOL Webmail and Microsoft Live with a customized message to encourage friends to start using the extension. There are also several "permission hacks" in order to run the code at a higher permission level.

"So should you trust these guys? In my opinion, [expletive deleted] no," RogueDarkJedi wrote.

Crossrider CTO Shmueli Ahdut posted on Lifehacker claiming Google+Facebook represents "the edge of extension technology today."

Cutting-edge or no, it may be best to stick with keeping the two social feeds separate for now. Even if one dismisses all the arguments about Crossrider being able to push down other software and configuration changes without notifying the user, the JavaScript file problem is a legitimate concern. If Mozilla and Google both frown on the practice, perhaps there's a reason developers shouldn't do that?

Rocket Fuel