Facebook, Twitter Extensions For Google+ Pose Security Risk

Start your day with TPM.
Sign up for the Morning Memo newsletter

by Eric Smalley

The Google+Facebook and Google+Tweet browser extensions that let you add your Facebook and Twitter streams to Google+ are a great idea.

Unfortunately, they’re not ready for prime time.

The extensions’ maker, Israeli software developer Crossrider, built the Facebook extension in a matter of hours as a demonstration of its cross-browser development tools, Crossrider CEO Koby Menachemi told TPM. The extensions contain several bugs and limitations (I found several in a brief glimpse at them) but there’s also a larger, and more serious security vulnerability.

Every time you start Google+, the extension fetches a JavaScript file from Crossrider’s servers. JavaScript is inherently vulnerable to malicious behavior, and frequently downloading JavaScript files puts your computer at risk.

PC World‘s Ed Oswald outlined the problem. His bottom line:

“All it takes is AntiSec one time to hack into Crossrider’s servers and mess with that JavaScript file.

Soon your computer could be doing a lot more than just putting your Facebook stream on Google+. With 100,000+ users, it’s certainly an easy (and attractive) target.”

Crossrider officials have been engaged in a public sparring match with RogueDarkJedi, the otherwise unidentified person who sounded the alarm about the extension.

Google+Tweet suffers the same problem. But the vulnerability is not as bad as it seems, argues Menachemi. Crossrider’s extensions run within a secure sandbox, so even if there is malicious code it can’t cause harm, he said. The company is also working on an important security improvement: sending the updates via secure HTTP, Menachemi said.

Crossrider follows the architecture for Google’s Chrome browser, Menachemi said.

“You have to remember that with Chrome extensions, even those from Chrome’s web store, the developer can update his/her extensions with no limitation and it will be automatically updated on all users’ machines. Allowing the developer to update his code is crucial to keeping the extensions safe and working as expected.”

It’s a good idea to wait to see if the company addresses these issues, or if someone else develops a more secure way to pull your Facebook and Twitter streams into Google+.

There is a way to feed your Google+ posts to your Facebook and Twitter accounts, however, that doesn’t involve additional software.

The Tech FanaTic blog has the details. The trick is to use a feature of Facebook and Twitter that allows you to post via e-mail.

Despite their faults, the popularity of the extensions shows there’s demand for a way to pull together an increasingly fragmented social network presence. The single stream these tools are aiming for is ideal.

I bet it won’t be long before there are safe and stable ways to do this, especially given the growing popularity of Google+ and the increasing redundancies among the social networks.

The key is waiting for these to be fully cooked.

Eric Smalley has written about technology for more than two decades. His freelance credits include Discover, Scientific American, Wired News and CNet. He edits Technology Research News.

Have a story idea or tip for Idea Lab? Please send thoughts to: Idealab@talkingpointsmemo.com.

Latest Idealab
Comments
Masthead Masthead
Founder & Editor-in-Chief:
Executive Editor:
Managing Editor:
Associate Editor:
Editor at Large:
General Counsel:
Publisher:
Head of Product:
Director of Technology:
Associate Publisher:
Front End Developer:
Senior Designer: