UW Computer Security Research and Course Blog

iGoogle is a personal web portal service of Google, which serves as a customizable start page to the Internet.  It was Google’s star product in 2007, whose traffic had increased by 267.64%.  In iGoogle, users can have several pages under different named tabs.  Users can add Google gadgets and RSS feeds to the pages.  Page layouts can be customized.  iGoogle is an open platform that anyone can create their own gadgets. Users can also share their iGoogle pages with others by sending out their pages with or without the settings for the contained gadgets.  Different from most other web portals, iGoogle dedicates large amount of space on top of its pages to Google’s own web search service.

There are many stakeholders of iGoogle.  Users are the most obvious and probably the most important direct stakeholders.  Google itself is a direct stakeholder as well.  It benefits not only because it can collect all kinds of information about its users, but also because users will be more likely to use its web search service — Google puts a big search box on the top. Creators of the Google gadgets are also direct stakeholders because they use iGoogle as the platform for their web applications. There are two kinds of indirect stakeholders. Those content (RSS) providers, such as New York Times, are indirect stakeholders because their RSS feeds can be directly added to iGoogle.  Advertisers are the other indirect stakeholders because iGoogle promotes Google’s web search service as mentioned.

One important asset of iGoogle is its handiness.  iGoogle has tons of useful and high quality gadgets for various scenarios and purposes. Users can put as much information as possible through it.  It also loads very fast which is important because most users use iGoogle quite frequently.  Actually, a great amount of users set iGoogle as their browser homepages.  Had iGoogle taken tens of seconds to load, it wouldn’t have been that popular.

Another asset of iGoogle is the users’ personal information. iGoogle gadgets, such as, weather, Gmail, calendar, to-do list and sticky notes, each contains very private information about users.  Being a collection of these gadgets, iGoogle is more privacy-sensitive than any single one of its gadgets.  Thus, keeping the private information safe is a very important security goal of iGoogle.

Towards these assets, there are several threats.  One is looking-over-shoulder attack.  It could be friends, or strangers, or hidden cameras, depending on where iGoogle is used.  It is a threat because by looking at one’s iGoogle pages from behind, the attackers can know a lot about the user, such as his or her interests, stocks and agenda of the day.  Another similar but more serious threat occurs when other people use your browser.  As many users set iGoogle as their browser homepages and never log out for convenience, no password is needed in order to open iGoogle on their browsers.  In such case, people who gain access to your browser will also gain access to all your private information on your iGoogle.

Another threat is eavesdropping on the network.  This is always a threat for network applications, but it is more serious for iGoogle as it does not encrypt the communication between client and server, and gadgets are responsible for their own communication with the corresponding services.

Since iGoogle is an open platform, one threat is the malicious gadgets.  As reported by media, users easily trust the gadgets found on Google’s gadget directory.  They don’t realize that these gadgets can be developed by anyone not just Google.  Also, since the malicious gadgets might be used along with other important gadgets like Gmail on the same page, they might be able to gain some access to these gadgets through some bugs in iGoogle or the browsers.  More easily, the malicious gadgets can just slow down the loading speed of the whole page, which directly harms the handiness asset of iGoogle.

I think iGoogle is weak against many of the above threats.  One is that, iGoogle uses “http” instead of “https”, which obviously could reveal what apps users are using to the eavesdroppers.  Also iGoogle does not show if the gadgets themselves are using secure connections or not.  For example, when using Gmail alone, one can notice that it uses https and there are other indications such as a lock in the status bar.  However, in the case of iGoogle, one cannot tell if the Gmail gadget is using “https” or “http”.  Users may thus make some wrong decision, for example, reading emails through a public WIFI.

Another potential weakness against eavesdropping is that the iGoogle pages appear highly frequently on the network, especially when being set as browser homepages.  This could definitely ease eavesdropping, as there is more redundancy.  I am not sure how much such redundancy will help the attackers, but the attackers do get more information about the encryption. Also when setting iGoogle as browser homepages, and seeing it over and over, users may lower their alertness against privacy leak as iGoogle becomes more a usual thing to them.

The “share” feature of iGoogle is another weakness against privacy leak, because it also enables users sending settings for gadgets along with the page to other users.  One case is that users might misunderstand the settings for gadgets as preferences for applications and send them.  They will be surprised that their sensitive information such as the contents in their sticky notes, and their calendars are also sent out.  Generally, what are sent depends on the implementation of each gadget.  The other case is that people who have gained access to one’s browser can send out his or her sensitive information by just a few clicks.

There are many possible defenses against the above-mentioned potential attacks.  One defense against the weakness of the “share” feature is asking for authentication (password) before sending out the settings for gadgets instead of just giving out warnings as in the current iGoogle.  The result is that malicious people can no longer send out all the private information easily.

Another defense against looking-over-shoulder attack is to hide iGoogle pages when users are accessing iGoogle using an unrecognized IP address.  This can prevent occasional privacy leak when getting online using WIFI in a public area.  Some browser extensions can also be helpful by using more complex detection mechanisms.

As for secure connection, iGoogle could also let users to decide whether or not to use “https”, as Google has done in Gmail.  Since “https” may slow down the page, it is possible in some cases that users prefer faster loading.

iGoogle could also provide some indication on whether or not the gadgets are using secure connections.  For example, putting a lock icon on the gadget’s title bar to indicate that the gadget is using secure connection.  Such indication is important in helping users make the right decision.

As iGoogle keeps growing, the security issues mentioned can become more and more important.  If not taken seriously, users’ privacy can be easily revealed to malicious people or organizations.  As web browsing becomes more and more important in our daily life, iGoogle will be much more valuable.  It can grow into a platform for all kinds of web applications, and a personalized mash-up center, and a true start page to the Internet.  And when more and more private information are placed through iGoogle, Google must provide better and complete mechanisms for protecting users’ privacy in all contexts.

The security issues mentioned above are not alone with iGoogle, but also with all other web portal services such as Netvibes, My Yahoo, and Windows Live.  Currently, developers have been focused on creating more useful and prettier gadgets in order to attract users.  Less work has been done to improve the security of the platform.  Users also haven’t yet paid attention to these issues, even though they are aware of these issues when using similar services separately, for example, Gmail.  The success of iGoogle not only shows the potential of web portals but also emphasizes these security issues.  If there is something goes wrong, even if it is the fault of a third party gadget, Google will definitely be blamed.  I like iGoogle a lot. It is fast, open, and has a lot of gadgets. I hope to see more security concerns from Google, as I already have tons of private information there.