Will Google's App Engine become a malware portal?

Security experts fear Google's new application hosting service App Engine will become a tool to spread malware and could ruin Web security defences.

Security experts fear Google's new application hosting service App Engine will become a tool to spread malware and could ruin Web security defences.

Google last week announced it has opened its infrastructure to third-party developers who want to host their applications with the search giant. Several applications have already been launched, which require users to open a Google account to access.

While developers have raised concerns about platform lock-in, security experts are worried that App Engine could be abused to host malicious applications.

"If you look at the current state of play, a lot of the shared SQL databases and applications are hosted on boxes that are running several hundred other Web sites. That's how mass defacements occur — it only takes one weak application on a service that is used by multiple services, and you have managed to compromise hundreds of domains," Chris Gatford, senior security consultant for penetration testing firm, Pure Hacking, told ZDNet.com.au.

"Let's say Google hosted a malicious application and there's also an un-patched bug in a browser. An attacker could gain access to anything the browser is logged into. Even if the browser is closed, there are session cookies that don't expire for a long time... If I am able to capture a session cookie for an application, there is a very good chance I could log in as you and get access to your information," said Gatford.

Just this week Google was forced to close a security hole in Google Docs which could be used by a hacker to steal a cookie from a user on Google Docs. Once stolen, the cookie could have been used to access other Google services the user has access to.

However, application developer and ex-president of Linux Australia, Jon Oxer, said that Google's App Engine won't leave Web users facing any greater risk than they already do. "Sure, people will use the platform to send out spam and run phishing attacks, but they already do that with existing providers," he told ZDNet.com.au.

"It's relatively easy to sign up for an account with a hosting provider who will give you a complete virtual machine that will allow them to run any software they like."

Defence mechanisms offered in security products such as McAfee's reputation-based Web filtering service, Site Advisor could also be thwarted due to the fact that Google Web properties are generally considered not malicious by such services.

"It will, to some extent, be a challenge for reputation-based Web ranking systems," McAfee senior security scientist, Nishad Herath, told ZDNet.com.au.

A Google spokesperson said the company will pull the plug on applications discovered to be malware.

"Using App Engine to deliver malware is a violation of our product policies, and we will disable any App Engine applications discovered to be malware," the spokesperson told ZDNet.com.au.