by Playfuls Staff |
22nd February 2007
Google issued several fixes at the beginning of February for a flaw that affected one of its most popular desktop applications called Desktop Search, but the problems are not over.[more]
The flaw was discovered by security firm
Watchfire and it could have allowed a hacker to access private information remotely and even take control of the entire system.
According to the three authors of the report, the vulnerability is the
“outcome [of] both the integration between the Google.com Web site and Google Desktop, and Google Desktop's failure to properly encode output containing malicious or unexpected characters. Unlike traditional computer penetration attacks, there is no need for binary code to be injected.”The authors underline the potential danger represented by the integration between Web-based applications and desktop applications, which opens doors for future attacks, based on the model offered by Google Desktop Search. They say a hacker could escalate his/her privileges by crossing from the Web environment to the desktop application environment:
“These attacks take advantage of Web application vulnerabilities and the increasing power of the Web browser. Their purpose is to remotely access private information.”Users who install Google Desktop will be able to visualize snippets of information of about 30-60 characters inside a Web-page when using Google’s engine. They appear at the top of the search-results. But Watchfire warns that despite its obvious usefulness, the feature poses a major security threat:
“If a Cross Site Scripting (XSS) vulnerability in Google.com is exploited against a Google Desktop user, a malicious attack can access a portion of the local computer data.[…] Since Google Desktop can access highly sensitive information, the possible impact of an external malicious access to Google Desktop's Web interface is far-reaching.” Apparently, Google implemented several protection mechanisms, among which a restriction applied to the local host connection of Google Desktop’s internal Web server is the simplest and most powerful (connections to localhost can only be created if the connection originates from and to the local machine).
"I would definitely say by a large margin this is the most serious flaw we've discovered with Google or maybe any other Web application," Mike Weider, CTO of Watchfire, said.
In a statement to media, Google says,
"We have [added] another layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future. We have received no reports that this vulnerability was exploited. However, users should make sure they are running the latest version of Google Desktop by going to [Google's Web site] and downloading the latest version and installing it."According to Weider, Google could prevent these vulnerabilities in the future by giving users the ability to disconnect the desktop application from the Google Web site.
"You have offline applications like a search tool that will search your index, and you have online sites like Google.com. What this application does is create a linkage between the two, where you could search on Google.com and get results from your desktop," Weider said.
