Google security suspicions surface (and LOLCODE)

It's Monday's IT Blogwatch: in which we worry about Google's security. Not to mention I HAS 1337 CODE LOL!!1...

Robert McMillan reports:

Just one day after a security researcher showed how Google Inc.'s Firefox toolbar could be exploited in an online attack, a similar flaw has been discovered in the Google Desktop. On Thursday, ... Robert Hansen ... CEO of Web security consultancy, and a contributor to the site ... posted proof of concept details showing how attackers could use Google Desktop to launch software that had already been installed on the victim's computer. The attack ... does illustrate the kind of security issues that arise with Web-based applications


To exploit Hansen's Google Desktop vulnerability, an attacker would first have to launch a successful "man-in-the-middle" [MITM] attack, somehow placing himself between the victim and Google's servers. This could by done by tricking the victim into logging onto a malicious wireless network, Hansen said.

Once this was done, the hacker could launch Hansen's attack by changing the Web pages being delivered to the victim's PC. By returning Web pages that have been doctored with new JavaScript code, the victim could be tricked into clicking onto a malicious link ... The steps Hansen took to pull off the attack are complex because of the security features that Google has built into its software

Robert Hansen is the horse's mouth:

Google Desktop has had a troubled past. It has encountered tons of security problems with its implementation, and continues to suffer. This time may be a little different than most times, but it is systemic of the same issues. When you attempt to combine web-pages with applications that have any significant power you run into security flaws ... This is exactly one of those cases ... we could have launched almost anything you can imagine, including programs that connect out to the web, uninstall programs, etc. ... This should drive home the point that deep integration between the desktop and the web is not a good idea, without tremendous thought put into the security model.


Mitigating factors: Obviously this has two big caveats to it. The first being that the attacker is sophistocated enough to launch a MITM attack against you similar to how Airpwn works. The second is that you have Google Desktop installed. To avoid these issues, only use trusted networks while Google Desktop is installed, keep it from indexing certain dangerous files or uninstall it completely. [read more and see video]

Dan Goodin counts four Google security issues in seven days:

The search king, despite the god-like aura it enjoys for its pleasing software designs, remains a mere mortal in the security cosmos ... Here's how it works: While web surfing at a cybercafe, a victim using a fully-patched machine running Google Desktop performs a Google search. The MITM agent detects the query and injects two iframes, one linked to a malicious URL and the other that secretly follows the victim's cursor as it moves about on the browser page ... As the malicious search query loads, the attacker forces Google Desktop to load as well. By dint of the iframe secretly following the mouse, the victim unknowingly clicks on the Google Desktop query, allowing the attacker to run any application that has been indexed by the Google program.

At about the same time ... a separate researcher ... exposed a nasty cross-site scripting (XSS) error in Gmail ... A third vulnerability ... resided in a Google feature that allows webmasters to request pages be removed from Google search results ... anybody could traverse up the directory root structure and browse folders at will and sniff out week database passwords ... The fourth vulnerability ... Google opted to use a less-secure, unvalidated method ... [to] update Google Toolbar and Google Browser Sync ... and also chose to install updates without seeking a user's permission.


The past week has done plenty to demonstrate Google is as fallible as any other earth dweller, particularly when it tries to rise above its search-engine origins and do more complicated things. We'd all do well to remember that for all its achievements, Google is forever susceptible to the cosmos's darker forces, not to mention its own hubris and carelessness.

And Nitesh Dhanjani is worried about the new Google Gears:

Google Gears, as you may have heard, is a browser extension that lets you develop applications that can run offline. If you haven’t already, try out the sample applications to get a feel for the functionality Google Gears has to offer ... It’s a good idea to brain-storm in the possible security implications of Google Gears because it facilitates web code to act upon the user’s local disk (sand-boxed with the browser’s same origin policy)


  • It is great that the documentation warns users about SQL Injection ... [Google] cannot prevent the construction of JavaScript strings that accept user input to construct SQL statements (dynamic SQL). All they can do at this point is warn the developers ...

  • I like the fact that the Gears plugin asks the user’s permission when a website attempts to use the plugin ...
  • Gear’s SQL based API may make it easier for a XSS attack to pull or manipulate data from the victim’s Gears database ...
  • I don’t see any restrictions on how big the Gears database can get. There is no option to configure the Gears browser extension to restrict the size of a database. This may contribute to a denial of service attack by a rogue website ... or by a attack exploiting a XSS vulnerability in a website that uses Gears.
  • There is no API to facilitate the encryption of the offline data ...
I like the concept of Google Gears. I think it’s a great idea. Just like everything in life, the increased functionality it provides is not without increased risk. If I had to pick from the list above, I’d guess that we are most likely to hear of existing XSS or browser vulnerabilities being abused to steal (or manipulate) Gears databases.

Gary W. Longsine muses:

This should drive home the point that connections should flow over encrypted tunnels whenever possible, to reduce the ease of performing man in the middle attacks. If this session flowed over an SSL style connection, the man in the middle would first need to figure out how to get into that session.

EraserMouseMan is insightful:

We'd better get used to Google becoming the butt of jokes usually aimed at ActiveX. ... the developers that develop these technologies simply get traded between the big 3 (Google, MS, Yahoo) and others ... [does] Google write insecure apps just like every other software development company that is made up of humans?

But 140Mandak262Jamuna is skeptical:

Basic premise of the whole scheme sketched out in the article seems to be having a man in the middle. May be an evil twin router offering network connection near a coffee shop or a malicious lap top in an airport faking an "infrastructure mode" SSID in ad-hoc mode or something like that ... I am not sure if there is anything unique to Google Desktop here. Could the same attack take advantage of the numerous ActiveX vulnerabilities?

Is the "security expert" trying to get more mileage by listing each exploitable hole of a man-in-the-middle attack as a separate discovery?

naasking reminds us why this is a big deal:

Don't be daft, SSL was created to prevent exactly these attacks, so why isn't it being used? Why does the Google toolbar submit all your potentially authority-bearing https urls to their anti-spam service in clear text? As good as Google is in certain areas, they're absolutely horrid when it comes to basic security measures.

Buffer overflow:

Around the Net Around Computerworld Previously in IT Blogwatch

And finally... LOLCODE [KTHXBYE]

Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at I promise never again to make fart jokes in IT Blogwatch titles.

Copyright © 2007 IDG Communications, Inc.

Shop Tech Products at Amazon