Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero Day Hole In Google Desktop

Posted by Zonk on from the please-stop-the-internet-from-leaking dept.

40by40 writes "A Web application security specialist has figured out a way to launch man-in-the-middle attacks against a computer with a fully patched Google Desktop installed. With knowledge of the Google Desktop security model (a combination of one-time tokens, iFrames and JavaScript), hacker Robert Hansen figured out a way to sit between a target launching a Google search query and manipulate the search results to take control of other programs on the desktop. From the article: 'This should drive home the point that deep integration between the desktop and the web is not a good idea, without tremendous thought put into the security model. As Google's site is unencrypted, and they place their content that can run executables on their site, it can be subverted by an attacker," Hansen warns. Hansen's advisory comes just days after a Chris Soghoian's exposé of a similar man-in-the-middle attack scenario against a remote vulnerability in the upgrade mechanism used by a number of commercial Firefox extensions.'"

7 of 113 comments (clear)

  1. deep integration is a good idea by Gary+W.+Longsine · · Score: 5, Insightful

    This should drive home the point that connections should flow over encrypted tunnels whenever possible, to reduce the ease of performing man in the middle attacks. If this session flowed over an SSL style connection, the man in the middle would first need to figure out how to get into that session. That strategy seriously reduces the places where malicious code can exist "in the middle". Don't throw the baby (rich client interaction with services in the cloud) out with the bathwater.

    --
    If you mod me down, I shall become more powerful than you could possibly imagine.
  2. Re:Logical by maelstrom · · Score: 5, Insightful

    Yeah for sure, now that Apache runs 60% of the Web, all those crackers are finding tons of exploits for it everyday!

    --
    The more you know, the less you understand.
  3. Thought is not enough by The+Clockwork+Troll · · Score: 5, Insightful

    This should drive home the point that deep integration between the desktop and the web is not a good idea, without tremendous thought put into the security model.

    "Tremendous thought" is a weaker notion than transparency, public scrutiny, or even rigorous proof, which are really what's required.

    Everything else is just hope; hide and seek.

    Hopefully Google can learn and set an example here.

    --

    There are no karma whores, only moderation johns
  4. installers by ruffles321 · · Score: 5, Insightful

    this is even more of a problem since more and more installers like Irfanview's or Adobe's include Google Desktop (and/or toolbar) and there is no way to skip them when doing automated installs... what a sick trend.

  5. Re:Google operating system? by yintercept · · Score: 5, Funny

    "... and feeds the cat ..."

    You need to change this to read: "feed a cat". Google will feed your cat up until the index change after which it will start feeding another cat. To be grammatically precise: "a cat" will be fed. There is just no guarantee that it will be "the cat."

  6. Re:Google operating system? by Anonymous Coward · · Score: 5, Funny

    Google Operating And Time Sharing Environment.

  7. Re:Definitely overblown by CrazyBrett · · Score: 5, Insightful

    It is not Google's job to provide a secure channel.

    Yes, it is. If they're exchanging data between their desktop app and their web service, they need to do encryption and key verification to make sure the pipe isn't compromised. Stuff outside of that (like local keyloggers) is your concern, or someone else's. But between their two endpoints, they need to secure the channel.