Slashdot Mirror

← Back to Stories (view on slashdot.org)

Poisoned Google Image Searches Becoming a Problem

Posted by Soulskill on from the quick-search-for-the-antidote dept.

Orome1 writes "If you are a regular user of Google's image search, you might have noticed that poisoned search results have practically become a common occurrence. Google has, of course, noticed this and does its best to mark the offending links as such, but they still have trouble when it comes to cleaning up its image search results."

14 of 262 comments (clear)

  1. web 101: don't run unknown javascripts by Anonymous Coward · · Score: 4, Insightful

    From TFA: "it displays another script - this time it's a JavaScript one - that redirects the browser to another compromised site that serves malware."

    By 2011, it should be considered "web 101" to not run javascripts unless you have a reason TO run them. Most people seem to just run any old javascripts by default, without having the first clue what it might be doing. There can't be much debate that it's a stupid course of action, given how many people's machines are jacked by exactly that attack vector (albeit possibly using another as well).

    Yeah, yeah, I know, you need javascript for your bank. That's great: whitelist your damn bank. But run only javascripts on your *whitelist*, not any thing any random yahoo from a site you've never heard of before wants you to run. Would you treat your physical possessions that way? Would you let a drug gang in eastern europe borrow your car with your permission? If not, why would you allow them to use your computer?

    I swear that the reason I haven't had a malware in my entire PC using history, and others seem to have them on a weekly or monthly basis, is because I don't completely shut off my brain once the words "... on the computer" appear in a sentence.

    1. Re:web 101: don't run unknown javascripts by Frosty+Piss · · Score: 4, Insightful

      By 2011, it should be considered "web 101" to not run javascripts unless you have a reason TO run them. Most people seem to just run any old javascripts by default...

      This is not going to happen. Many major websites, many of the highest traffic websites involve hundreds of JS scripts to make a single page function. Web 2.0 and all...

      The *average non-techie web surfer* is simply NOT going to turn off JS.

      Will not happen... So, it's not realistic or productive to waste time discussing such an option.

      Sad, but true.

      --
      If you want news from today, you have to come back tomorrow.
    2. Re:web 101: don't run unknown javascripts by blindseer · · Score: 5, Insightful

      It's 2011, there should not be anything a Javascript can do that is harmful to your computer.

      --
      I am armed because I am free. I am free because I am armed.
    3. Re:web 101: don't run unknown javascripts by AsmordeanX · · Score: 4, Insightful

      I tried running with Javascript disabled. Five years ago you could get away with it. Now so many sites, especially with jQuery being so pervasive, simply don't work with JS disabled or you get an ugly broken thing.

      I hear the claim, "Well you can run it on trusted sites". What has the site done to earn my trust? Why couldn't a malicious site appear interesting enough to prompt you to turn JS on and thus be attacked. Only a little social engineering can defeat NoScript. Whitelisted sites can become compromised as well.

    4. Re:web 101: don't run unknown javascripts by Low+Ranked+Craig · · Score: 3, Insightful

      Uh, no. Javascript is required for a significant portion, I'd say most, of the high traffic sites out there. It is simply not feasible, or acceptable to suggest that all users disable a significant portion of the functionality of the web.

      --
      I still cannot find the droids I am looking for...
    5. Re:web 101: don't run unknown javascripts by Frosty+Piss · · Score: 4, Insightful

      They will after their machine has to be taken into the shop again for maintenance due to being infected by drive-by exploits like this.

      You might think, but there is a lot to suggest that what you suppose is not the case.

      The fact is, the average non-techie user values "interactive" over "secure". Those in the business of servicing PCs on the consumer level will tell you this.

      --
      If you want news from today, you have to come back tomorrow.
    6. Re:web 101: don't run unknown javascripts by Undead+Waffle · · Score: 3, Insightful

      Why sad? THe ability to have portions of the page refresh without round-tripping to the server for a whole new page is only one of the highly useful functions provided by JS.

      It's useful when used correctly. But when all of the links are JS and I can no longer middle click to open in new window I get annoyed.

    7. Re:web 101: don't run unknown javascripts by jabberw0k · · Score: 3, Insightful
      Indeed. This whole article confuses me. I have been doing web development since the 1990s and the whole point of Javascript was that it cannot cause a program to be run or installed on your computer... otherwise the web browser is insecure. If Javascript code can permit code to run on your computer, that would be a show-stopping browser bug! If that is true, then the only way to prevent this is to stop using that broken browser entirely. But that cannot be the case, can it?

      I find it hard to understand why this whole article is a problem...

    8. Re:web 101: don't run unknown javascripts by Anonymous Coward · · Score: 2, Insightful

      The trouble is that you likely get a substantially degraded experience on some sites.

      Ironically I consider all that AJAX-javascript-navigation stuff complete and utter bullshit. That right there degrades experience, not the other way around.

      Before Javascript you could navigate sites in a "standardised" way, i.e. open links in tabs, use back and forward buttons and so on. All sites worked the same. Javascript broke that. Now sites have to reimplement this functionality in their own unusual way; most just don't do it. So navigation gets a lot harder WITH your fancy javascript.

      I get it, as a developer you love fancy new technology. However as a visitor/customer it's a usability nightmare.

    9. Re:web 101: don't run unknown javascripts by Waccoon · · Score: 3, Insightful

      Because browsers allow 3rd party Javascript to run as if it were 1st party. This makes advertisers happy.

      I've been complaining about this for years, but so long as the new economy demands that browsers be supported through sponsorships and ads, security just won't become a priority.

      Hell, reading a PDF can infect your PC with a virus? I've got a great idea... let's build a PDF reader right into the web browser, and for bonus point, you can't disable it. It's okay, we built a sandbox for it, and made JavaScript twice as fast for good measure. Oh, but we still won't include support for [insert FOSS codec of choice here] because it will make the browser too bloated.

  2. Use an alternative search. by Deathlizard · · Score: 3, Insightful

    At this point, I feel SEO poisoning is so bad on Google that I find myself using other search engines more since they don't seem to be as big of a target.

    Altavista, Ask and Bing have just been giving me more relevant search results lately. Google seems to like to show more SEO sites, forum reposters that just repost the same forum entries over and over and "Meta Search" sites such as software informer and alibaba.

    Image search Rogueware poisoning is yet another reason to start looking somewhere else for search results.

    --
    In Soviet Russia, Trojan exploits YOU!
  3. a couple add ons that help by d6 · · Score: 5, Insightful

    I surf with requestpolicy and noscript up. It is utterly amazing the number of websites that can't render a page without firing scripts or loading content from 6, 8, 10 or more different domains.
    If you haven't tried these, do it and be amazed at how many sites load without stylesheets, pictures etc. It's amazing how badly shit is implemented - zero thought about graceful degradation.

    no script
    requestpolicy

    1. Re:a couple add ons that help by Low+Ranked+Craig · · Score: 3, Insightful

      Not zero thought about degradation and not bad implementation. This isn't the same as developing for IE for example. It's simply that implementing features two ways - one for JS and one for no, takes more than twice as much effort, so it doesn't get done. I've told clients before about the JS issues, but what it comes down to is the client doesn't want to spend twice as much to service the 2% that turn off JS. Period. They get a message that tells them to enable JS to use those functions. It's cost vs. benefit 101.

      --
      I still cannot find the droids I am looking for...
  4. Re:Mac is vulnerable too by Teckla · · Score: 4, Insightful

    It did not download and execute, it downloaded and opend the installer. Your wife would have had to go clicking through a an installer, and provided her admin credentials, in order to have installed/run something.

    Sorry, I'm not a Mac expert. All I know is that it automatically downloaded something, and automatically executed something. I'm not technically knowledgeable enough about OS X to know that, even though we immediately exited the malware installer, that nothing bad could possibly have happened.

    And I'm still not convinced the malware installer didn't do something bad before it popped up its first GUI window. I'm not accusing you of being a liar, but my wife uses her Mac to access our bank accounts and such. I have no choice but to nuke the site from orbit (reinstall OS X). I'd like to trust that because someone on the Internet said I'm safe and not to worry about it, that I can just plain not worry about it, but I just can't take that risk.

    At the end of the day, Apple/Safari's amazingly fucked up defaults burned us good and hard. It'll take me days to fully reload and reconfigure her machine.

    Thanks, Apple...