Oct 30, 2007 1:35 pm by Kip Kniskern | 2 comments
We’ve received some tips and comments about the Live Search Traffic gadget for Vista being removed from Windows Live Gallery when it updated last week, and indeed it is gone, along with the Live Search gadget. In an email to Donavon West, who wrote both gadgets and also posts here on LiveSide, I asked about the missing gadgets. He replied, in part:
The traffic gadget AND the Live Search gadget were both pulled because of possible security concerns. I’m working on an article that will talk about these concerns.
Specifically if the case of the traffic gadget, it loads a script file from the Internet (the Virtual Earth API script). Doing so is now decreed my Microsoft as a no-no.
in loading scripts off of the Internet (as a sidebar gadget), a ner-do-well can interject malicious code via a MitM attack (man-in-the-middle). While this can be done on any plain ole webpage, doing so in the Sidebar can be exceptionally malicious as the code runs in the context of the logged in user and can do all sorts of evil things like delete files.
Microsoft has not contacted me about re-writing the gadget to alleviate this problem. Frankly, I’m not sure anything can be done about it (at least easily).
Donavon goes on to cite an MSDN article titled “Inspect Your Gadget” that offers guidelines on writing secure gadgets. Donavon has promised to update us when his article is published, in a week or two. But for now, the gadgets are gone from Gallery, and using the traffic gadget opens up at least the possibility of cross-site scripting attacks.
Hopefully these popular gadgets will return in a more secure form soon.