Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero Day Hole In Google Desktop

Posted by Zonk on from the please-stop-the-internet-from-leaking dept.

40by40 writes "A Web application security specialist has figured out a way to launch man-in-the-middle attacks against a computer with a fully patched Google Desktop installed. With knowledge of the Google Desktop security model (a combination of one-time tokens, iFrames and JavaScript), hacker Robert Hansen figured out a way to sit between a target launching a Google search query and manipulate the search results to take control of other programs on the desktop. From the article: 'This should drive home the point that deep integration between the desktop and the web is not a good idea, without tremendous thought put into the security model. As Google's site is unencrypted, and they place their content that can run executables on their site, it can be subverted by an attacker," Hansen warns. Hansen's advisory comes just days after a Chris Soghoian's exposé of a similar man-in-the-middle attack scenario against a remote vulnerability in the upgrade mechanism used by a number of commercial Firefox extensions.'"

16 of 113 comments (clear)

  1. deep integration is a good idea by Gary+W.+Longsine · · Score: 5, Insightful

    This should drive home the point that connections should flow over encrypted tunnels whenever possible, to reduce the ease of performing man in the middle attacks. If this session flowed over an SSL style connection, the man in the middle would first need to figure out how to get into that session. That strategy seriously reduces the places where malicious code can exist "in the middle". Don't throw the baby (rich client interaction with services in the cloud) out with the bathwater.

    --
    If you mod me down, I shall become more powerful than you could possibly imagine.
  2. Google imitating Microsoft security holes. by Animats · · Score: 4, Insightful

    By now, everybody developing browser components should know that you do not provide functions which can execute arbitrary programs.

    Usually, it's Microsoft doing this, with Outlook, IE, Office, etc. launching other applications. This is the source of most of the vulnerabilities involving web browsing. Now we have Google competing to offer similar security holes.

  3. Re:Logical by maelstrom · · Score: 5, Insightful

    Yeah for sure, now that Apache runs 60% of the Web, all those crackers are finding tons of exploits for it everyday!

    --
    The more you know, the less you understand.
  4. A little over blown perhaps? by 140Mandak262Jamuna · · Score: 4, Insightful
    Basic premise of the whole scheme sketched out in the article seems to be having a man in the middle. May be an evil twin router offering network connection near a coffee shop or a malicious lap top in an airport faking an "infrastructure mode" SSID in ad-hoc mode or something like that.

    Once you are compromised this way the attack tries to take advantage of cross scripting vulnerabilities in a browser to run code in the compromised machine. I am not sure if there is anything unique to Google Desktop here. Could the same attack take advantage of the numerous ActiveX vulnerabilities?

    Is the "security expert" trying to get more mileage by listing each exploitable hole of a man-in-the-middle attack as a separate discovery?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  5. Thought is not enough by The+Clockwork+Troll · · Score: 5, Insightful

    This should drive home the point that deep integration between the desktop and the web is not a good idea, without tremendous thought put into the security model.

    "Tremendous thought" is a weaker notion than transparency, public scrutiny, or even rigorous proof, which are really what's required.

    Everything else is just hope; hide and seek.

    Hopefully Google can learn and set an example here.

    --

    There are no karma whores, only moderation johns
  6. installers by ruffles321 · · Score: 5, Insightful

    this is even more of a problem since more and more installers like Irfanview's or Adobe's include Google Desktop (and/or toolbar) and there is no way to skip them when doing automated installs... what a sick trend.

  7. Did the industry learn nothing? by TheNetAvenger · · Score: 3, Insightful

    Did the industry and Google learn nothing from the mistakes Microsoft made?

    Even MS has done a 180 and with Vista broke all the internal/external links that made XP/ActiveX/IE such a mess. So if MS is smart enough to learn from their mistakes you would thing a company like Google would not go out of their way to emulate the same bad security ideas.

    Is it just me, or is Google racing to be the next big evil? Gmail scanning, search data compiling, Firefox reporting, desktop document reporting, and now making really stupid software design decisions?

    1. Re:Did the industry learn nothing? by LO0G · · Score: 4, Insightful

      The problem is that for some people, functionality trumps security every time. It's unfortunate, but true.

      Sometime around 2002ish, Microsoft learned (the hard way) that functionality can NEVER trump security, and they've spent the better part of the past 5 years working on fixing the mistakes they made back in the 1990s (when functionality trumped security). You can see the fruits of that in their most recent offerings (IIS6 has had no exploitable holes in the 4 years it's been available, Vista, for all of its compatibility problems has already been shown to be dramatically better than XP was security-wise).

      Until all the vendors "get it" and realize that security should win, stuff like this is going to continue to happen.

  8. Definitely overblown by brennz · · Score: 3, Insightful

    I think the premise of the article is rather stupid in fact.

    It is not Google's job to provide a secure channel.

    I guess when I do a MITM attack to capture login prompts and transparently proxy that is google's problem also?
    Or when I resolve DNS queries to my own box, that is likewise google at fault?

    Lol.

    1. Re:Definitely overblown by Anonymous Coward · · Score: 2, Insightful

      If the "login prompts" aren't being done over SSL, then yes.

    2. Re:Definitely overblown by CrazyBrett · · Score: 5, Insightful

      It is not Google's job to provide a secure channel.

      Yes, it is. If they're exchanging data between their desktop app and their web service, they need to do encryption and key verification to make sure the pipe isn't compromised. Stuff outside of that (like local keyloggers) is your concern, or someone else's. But between their two endpoints, they need to secure the channel.

    3. Re:Definitely overblown by naasking · · Score: 4, Insightful

      I guess when I do a MITM attack to capture login prompts and transparently proxy that is google's problem also?
      Or when I resolve DNS queries to my own box, that is likewise google at fault?

      Don't be daft, SSL was created to prevent exactly these attacks, so why isn't it being used? Why does the Google toolbar submit all your potentially authority-bearing https urls to their anti-spam service in clear text? As good as Google is in certain areas, they're absolutely horrid when it comes to basic security measures.

      --
      Higher Logics: where programming meets science.
  9. Plan 9? by Anonymous Coward · · Score: 1, Insightful

    new OS from the ground up that is more focused on the issues of dealing with the web and network in general


    Plan 9?
  10. Re:Google imitating Microsoft 's ActiveX by EraserMouseMan · · Score: 4, Insightful

    We'd better get used to Google becoming the butt of jokes usually aimed at ActiveX. Google Gears, Google Desktop, Google whatever. We now reaize that the developers that develop these technologies simply get traded between the big 3 (Google, MS, Yahoo) and others.

    Are we all finally realizing that Google writes insecure apps just like ever other software development company that is made up of humans?

  11. Re:Google operating system? by Hucko · · Score: 2, Insightful

    I think it would better to be based on Plan 9. But no one talks it anymore. Is development still continuing?

    --
    Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
  12. Google operating system? WHY??? by gnuman99 · · Score: 3, Insightful

    Why on this Earth would Google want an OS?? They already have it - it is called "The Browser". That's what they use to make money. They may want to extend its usage, but I doubt that Google will ever want to deal with the "desktop" in the same way as Microsoft, Apple or Linux community.

    Google is about control. They want to control your information for their own profit. They show it again and again. That's how they make money. The more targeted the ads, the more money they can make. The only competitor I think they may have here is Amazon, but that only deals with your book preferences. Google wants your wants so they can sell something from one of their customers.

    Thus it is NOT in the interest of Google to make a desktop. They are not in the business of making software like MS or Apple or GNU or even IBM. They are in business to manage information about you and me. Their "free" solutions are just there so you can give them more info about yourself.

    Hope that is clear enough.