Zero Day Hole In Google Desktop

← Back to Stories (view on slashdot.org)

Zero Day Hole In Google Desktop

Posted by Zonk on Friday June 1, 2007 @09:47AM from the please-stop-the-internet-from-leaking dept.

40by40 writes "A Web application security specialist has figured out a way to launch man-in-the-middle attacks against a computer with a fully patched Google Desktop installed. With knowledge of the Google Desktop security model (a combination of one-time tokens, iFrames and JavaScript), hacker Robert Hansen figured out a way to sit between a target launching a Google search query and manipulate the search results to take control of other programs on the desktop. From the article: 'This should drive home the point that deep integration between the desktop and the web is not a good idea, without tremendous thought put into the security model. As Google's site is unencrypted, and they place their content that can run executables on their site, it can be subverted by an attacker," Hansen warns. Hansen's advisory comes just days after a Chris Soghoian's exposé of a similar man-in-the-middle attack scenario against a remote vulnerability in the upgrade mechanism used by a number of commercial Firefox extensions.'"

6 of 113 comments (clear)

Min score:

Reason:

Sort:

Google operating system? by Oldsmobile · 2007-06-01 09:50 · Score: 2, Interesting

Google should stop screwing around and just bite the bullet: develop your own operating system based on Linux and get it over with. Windows Vista is down, kick them in the nuts when you can!

--
Some say he is made with ascii, others that he is eyeballed daily by millions. All we know is, he is known as the Sig
1. Re:Google operating system? by AKAImBatman · 2007-06-01 10:01 · Score: 4, Interesting
  
  develop your own operating system based on Linux and get it over with.
  
  No offense to Linux, but I think that would offend Google's sense of style. Unix-style OSes are great when you need low-level access to the hardware (e.g. GoogleFS), but don't infer any sort of inherent advantage in the desktop arena. In fact, the classic Unix design is very desktop unfriendly, which is why all kinds of user-friendly packages like automounter have been created.
  
  Given the number of Ph.D. brainiacs Google has their hands on, I would expect them to create a new OS from the ground up that is more focused on the issues of dealing with the web and network in general. e.g. If it can be coded to avoid buffer overflow situations, that would be a great start. Greater focus on caching services and integrated URL handling might also be things you would see more of. Unicode everything rather than dealing with different text formats. (Incoming formats would need to be converted before they could be used.) Overall minimalist design. i.e. Don't include anything that isn't absolutely necessary to getting the job done. (Compare: The number of features on Google homepage to the number of features on the average Linux desktop.)
  
  I will happily eat crow if Google ever produces a Linux desktop, but gut instinct says that they won't. So don't get your hopes up.
  
  --
  Javascript + Nintendo DSi = DSiCade
2. Re:Google operating system? by poopdeville · 2007-06-01 10:35 · Score: 4, Interesting
  
  In fact, the classic Unix design is very desktop unfriendly, which is why all kinds of user-friendly packages like automounter have been created.
  
  Your point is pretty vacuous. The user-friendly packages already exist, and as OS X and Ubuntu (as a Linux example) show, can be used to great effect.
  
  But you're right. Google won't produce a Linux desktop. They'll probably use a BSD variant, should they ever produce a desktop at all.
  
  --
  After all, I am strangely colored.
Google size issues by ushering05401 · 2007-06-01 10:10 · Score: 3, Interesting

Anyone want to bet that this is the beginning of a little landslide?

I wish the Google team all the best in dealing with this issue... but I am scratching my head at the speed with which they are attempting to diversify their offerings.

Google did not become a dominant force overnight. They fought battles, learned lessons, and refined/defined search capabilities for the entire world. Why have they been shooting off in a dozen different directions? Is there any way that even they can stay on top of all the little details considering the number of immature products they are floating?

Anyhow, the next couple of days will go a long way towards showing exactly how far the Google team needs to go before I trust them on my desktop. Here's hoping they prove to have the response time/customer centric attitude that made them my preferred search provider.

Regards.
Hanging your guts out by Colin+Smith · 2007-06-01 10:35 · Score: 3, Interesting

It's the phrase which springs to mind with "web 2.0" applications. You have an exposed API on both sides, the client and the server.

--
Deleted
business as usual by siddesu · 2007-06-01 10:49 · Score: 3, Interesting

installing third-party applications that connect to someplace, download something, and do something on on your machine, and being exposed when those applications are shown to have bugs is news how?

the google engineers aren't magicians. when they develop features, they do so under tight schedule, and make mistakes, especially those hired to code (as opposed to do PR). the only reason there haven't been more problems discovered is likely the fact that they don't distribute much software.

besides, google's main goal isn't promoting security. their primary goal is to hookup lotsa people -- and in their case, that means to deliver applications with lotsa features quickly, because people are hooked on the features, the competition ain't sleeping, and that first-comer advantage matters.

does that remind you of another company? it should, because all of them successful companies ain't that much different at all ;)