Widgets (or Gadgets) are small applications, which usually provide some kind of visual information or access to a frequently used function. Because widgets are in fact applications, they too can include malicious code. Furthermore, due to the simplicity of legitimate widgets, such as calculators and clocks, they are developed without security in mind.
In this presentation, we will explain the three different types of widgets in detail. We will demonstrate proof of concept of a malicious widget for each of the types and also highlight the attack vectors for exploiting a vulnerable legitimate widget.
Following the demonstrations, we will talk at a high-level about widgets integrated in mobile devices. We'll take a brief look at the Widgets 1.0 paper created by the W3C, and also talk about the similarity between widgets and browser extensions in terms of their inherent insecurity." Aviv Raff is a security researcher specializing in application vulnerabilities research, security product evasion techniques and malicious code analysis. He contributes to projects like Metasploit and Month of Browser Bugs. He is also a co-creator of several known browser fuzzers like Hamachi, CSS-Die and DOM-Hanoi. In his spare time, Aviv works as a security researcher at Finjan's Malicious Code Research Center (MCRC).