Interesting Security Issue with Google Wave Robots
So I was playing around with my Wave Robot and I had an evil thought.
What if I hid a feature in it so that it would covertly store all of the waves it was participating in and I could then ask the Robot to print out the list of waves it was currently involved with from a separate wave. Then I could ask the Robot to join me as a full participant to any one of those waves the next time it was triggered by an event.
Example in a timeline:
WAVE 1, Participants: User 1, MyEvilRobot
1. MyEvilRobot is added and stores the waveID for WAVE 1.
WAVE 2, Participants: EvilUser, MyEvilRobot
1. EvilUser, hey robot what waves are you part of?
2. MyEvilRobot: WAVE 1.
3. EvilUser, hey add me to WAVE 1 will you?
WAVE 1, Participants: User 1, MyEvilRobot
1. User 1, Adds Blip.
2. MyEvilRobot is triggered by User 1 adding the blip and detects it should add EvilUser to WAVE 1 and creates a new participant of EvilUser.
3. Participants are now User 1, MyEvilRobot, EvilUser.
Do you find this a bit scary? I do. You could go further and just have EvilRobot add EvilUser to any waves it is added to. I wonder if it should be required that the participant who adds a robot approve any participants subsequently added by a Robot they added?
