Google Blogoscoped

Wednesday, February 21, 2007

Google Desktop XSS Hole Fixed

Using a cross-site scripting vulnerability on in combination with an installed Google Desktop program, web app security consultants Watchfire were able to overtake a user’s computer and transmit sensitive local information to their own server. According to AP, Google was alerted to the vulnerability on January 4th, 2007, and in return alerted Watchfire of their fix on February 1st. (Google Desktop is automatically updated so if you have GD installed, you don’t need to do anything to patch this, Google says.)

Watchfire by now released an extensive, illustrated whitepaper [PDF] describing the vulnerability. It’s well worth a read, if only to get your head around the type of exploit, and how hackers are able to find the most exotic “uses" for plain cross-site scripting (XSS) holes. With an active exploit, an attacker was able to ...

... search for and immediately find sensitive information including Office documents, media files, email (in many cases, even deleted ones), Web history cache, chat sessions, and an extensive chronologic record of the user’s activity on his/her personal or corporate computer.

Watchfire lists some example exploits which show the broad scope of this vulnerability:

Sensitive information: Search for the terms ’confidential’ or ’top secret’.
Password theft: Search for ’username’ or ’password’ keywords and extract authentication information from mails/files.
Bank information: Search for bank keywords and find Bank Web pages Google Desktop indexed, along with sensitive information.
Track user activities: Google Desktop’s “Timeline View” option presents an extensive [chronological] log of files edited by the victim and Web sites visited, along with cached versions of both.

What’s more, an attacker was able to launch executables on the victim’s computer. (The whitepaper notes that if an attacker is able to create a public share accessible by the victim, they could even drop a malicious EXE on this share to completely compromise the victim’s computer).

AP quotes Google having said they have “no evidence the vulnerability was exploited” (which is very different from saying they have evidence that the vulnerability was not exploited – it may have been exploited, and Google just doesn’t have the tools to track this).

[Thanks Pd and Brinke! Screenshot by Watchfire.]


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!