It's Monday's IT Blogwatch: in which we worry about Google's security. Not to mention I HAS 1337 CODE LOL!!1...
Just one day after a security researcher showed how Google Inc.'s Firefox toolbar could be exploited in an online attack, a similar flaw has been discovered in the Google Desktop. On Thursday, ... Robert Hansen ... CEO of Web security consultancy Sectheory.com, and a contributor to the Ha.ckers.org site ... posted proof of concept details showing how attackers could use Google Desktop to launch software that had already been installed on the victim's computer. The attack ... does illustrate the kind of security issues that arise with Web-based applications
...
To exploit Hansen's Google Desktop vulnerability, an attacker would first have to launch a successful "man-in-the-middle" [MITM] attack, somehow placing himself between the victim and Google's servers. This could by done by tricking the victim into logging onto a malicious wireless network, Hansen said.
Once this was done, the hacker could launch Hansen's attack by changing the Web pages being delivered to the victim's PC. By returning Web pages that have been doctored with new JavaScript code, the victim could be tricked into clicking onto a malicious link ... The steps Hansen took to pull off the attack are complex because of the security features that Google has built into its software
Robert Hansen is the horse's mouth:
Google Desktop has had a troubled past. It has encountered tons of security problems with its implementation, and continues to suffer. This time may be a little different than most times, but it is systemic of the same issues. When you attempt to combine web-pages with applications that have any significant power you run into security flaws ... This is exactly one of those cases ... we could have launched almost anything you can imagine, including programs that connect out to the web, uninstall programs, etc. ... This should drive home the point that deep integration between the desktop and the web is not a good idea, without tremendous thought put into the security model.
...
Mitigating factors: Obviously this has two big caveats to it. The first being that the attacker is sophistocated enough to launch a MITM attack against you similar to how Airpwn works. The second is that you have Google Desktop installed. To avoid these issues, only use trusted networks while Google Desktop is installed, keep it from indexing certain dangerous files or uninstall it completely. [read more and see video]
Dan Goodin counts four Google security issues in seven days:
The search king, despite the god-like aura it enjoys for its pleasing software designs, remains a mere mortal in the security cosmos ... Here's how it works: While web surfing at a cybercafe, a victim using a fully-patched machine running Google Desktop performs a Google search. The MITM agent detects the query and injects two iframes, one linked to a malicious URL and the other that secretly follows the victim's cursor as it moves about on the browser page ... As the malicious search query loads, the attacker forces Google Desktop to load as well. By dint of the iframe secretly following the mouse, the victim unknowingly clicks on the Google Desktop query, allowing the attacker to run any application that has been indexed by the Google program.
At about the same time ... a separate researcher ... exposed a nasty cross-site scripting (XSS) error in Gmail ... A third vulnerability ... resided in a Google feature that allows webmasters to request pages be removed from Google search results ... anybody could traverse up the directory root structure and browse folders at will and sniff out week database passwords ... The fourth vulnerability ... Google opted to use a less-secure, unvalidated method ... [to] update Google Toolbar and Google Browser Sync ... and also chose to install updates without seeking a user's permission.
...
The past week has done plenty to demonstrate Google is as fallible as any other earth dweller, particularly when it tries to rise above its search-engine origins and do more complicated things. We'd all do well to remember that for all its achievements, Google is forever susceptible to the cosmos's darker forces, not to mention its own hubris and carelessness.
And Nitesh Dhanjani is worried about the new Google Gears:
Google Gears, as you may have heard, is a browser extension that lets you develop applications that can run offline. If you haven’t already, try out the sample applications to get a feel for the functionality Google Gears has to offer ... It’s a good idea to brain-storm in the possible security implications of Google Gears because it facilitates web code to act upon the user’s local disk (sand-boxed with the browser’s same origin policy)
...
I like the concept of Google Gears. I think it’s a great idea. Just like everything in life, the increased functionality it provides is not without increased risk. If I had to pick from the list above, I’d guess that we are most likely to hear of existing XSS or browser vulnerabilities being abused to steal (or manipulate) Gears databases.
It is great that the documentation warns users about SQL Injection ... [Google] cannot prevent the construction of JavaScript strings that accept user input to construct SQL statements (dynamic SQL). All they can do at this point is warn the developers ...
- I like the fact that the Gears plugin asks the user’s permission when a website attempts to use the plugin ...
- Gear’s SQL based API may make it easier for a XSS attack to pull or manipulate data from the victim’s Gears database ...
- I don’t see any restrictions on how big the Gears database can get. There is no option to configure the Gears browser extension to restrict the size of a database. This may contribute to a denial of service attack by a rogue website ... or by a attack exploiting a XSS vulnerability in a website that uses Gears.
- There is no API to facilitate the encryption of the offline data ...
This should drive home the point that connections should flow over encrypted tunnels whenever possible, to reduce the ease of performing man in the middle attacks. If this session flowed over an SSL style connection, the man in the middle would first need to figure out how to get into that session.
We'd better get used to Google becoming the butt of jokes usually aimed at ActiveX. ... the developers that develop these technologies simply get traded between the big 3 (Google, MS, Yahoo) and others ... [does] Google write insecure apps just like every other software development company that is made up of humans?
But 140Mandak262Jamuna is skeptical:
Basic premise of the whole scheme sketched out in the article seems to be having a man in the middle. May be an evil twin router offering network connection near a coffee shop or a malicious lap top in an airport faking an "infrastructure mode" SSID in ad-hoc mode or something like that ... I am not sure if there is anything unique to Google Desktop here. Could the same attack take advantage of the numerous ActiveX vulnerabilities?
Is the "security expert" trying to get more mileage by listing each exploitable hole of a man-in-the-middle attack as a separate discovery?
naasking reminds us why this is a big deal:
Don't be daft, SSL was created to prevent exactly these attacks, so why isn't it being used? Why does the Google toolbar submit all your potentially authority-bearing https urls to their anti-spam service in clear text? As good as Google is in certain areas, they're absolutely horrid when it comes to basic security measures.
Buffer overflow:
Around the NetAround Computerworld
- Frank Scavo: Oracle now charges SAP with copyright violation
- Roland Piquepaille: Turning cars into wireless network nodes
- Donna Bogatin: Google bets billions to lock-in search dominance
- John R. Meyer: POWER6 Goes Thud: Part I. Or, How Clark W. Griswold Wound Up With the Wagonqueen Family Truckster
- Kuldeep Singh: Project Compliance
- Scobleizer: Comparison of Yahoo Pipes to Microsoft's PopFly
- Robert Vollman: SQL Interview Questions
- Mike Masnick, Techdirt: Cost vs. Benefit In Tracking Down People Using AP Content
- Dan Morrill: It is good to have Ajax and Ruby Skills
- Michael Santo: China to Enforce Universal Cell Phone Charger
Previously in IT Blogwatch
- Douglas Schweitzer: Business: slow to take a bite...
- Preston Gralla: Did Google Earth help NYC terrorists?
- Michael R. Farnum: Information / Data Leak Prevention - Somewhat immature market, but worth looking at
Michael R. Farnum: The Spam King is in jail -- so why am I still getting spam?
Douglas Schweitzer: New Hampshire says 'get real' to the Real ID Act
- Shark Bait: How One Nice Little Old Lady Brought Down the Network
And finally... LOLCODE [KTHXBYE]
Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richi.co.uk. I promise never again to make fart jokes in IT Blogwatch titles.