May 23rd, 2007

Google, Dell in URL redirection 'spyware' flap

Posted by Ryan Naraine @ 9:39 am

Categories: Botnets, Browsers, Data theft, Digital rights management, Exploit code, Firefox, Google, Hackers, Microsoft, Open source, Patch Watch, Pen testing, Spam and Phishing, Spyware and Adware, Viruses and Worms, Vulnerability research

Tags: Ryan Naraine

Google has invested heavily in several anti-malware/anti-spyware initiatives but the search engine giant might have a spyware problem of its own.

According to David Ulevitch, CEO of OpenDNS, Google’s revenue-generating URL error alliance with Dell drops a difficult-to-remove program on computers that straddles the spyware line.

In a blog entry making the rounds (Techmeme discussion, Danny Sullivan), Ulevitch calls attention to Google’s use of a program called “Browser Address Error Redirector” in its alliance with Dell to launch pay-per-click advertising when users mistype or misspell a domain name.

Not only that, but due to some support inquiries we’ve gotten it seems like this software is being installed on older Dell computers that use some sort of automatic update service from Dell. Is this thing spreading? Ugh. How bad is it?

In Ulevitch’s mind, Google has crossed a line.

I think Google has turned a page here. They have now enabled a piece of software that is hard to remove and forces users to look at a really bad page. In fact, Google knows that this provides users with a dramatically worse experience.

A big part of the problem is the fact that the Google/Dell arrangement has diluted the results shown to users. Instead of offering results close to the typo’d search query, the majority of the “error redirector” page is filled with ads — dumping money into Google’s pockets.

Ulevitch has a vested stake in this because his OpenDNS service (which, by the way, I use and enjoy) is affected by the Google software.

[This] his new “functionality” breaks things. Instead of making DNS requests, the address bar now sends single word queries to Google. This application breaks a lot of OpenDNS functionality our users love. Typo correction? Broken. Shortcuts? Broken. Google’s application breaks just about every user-benefiting feature we provide with client software that no user ever asked for.

We enjoy challenging problems at OpenDNS. But we’d rather spend our time making the Internet better rather than solving problems that shouldn’t have been created in the first place. We know that Google is capable of launching great products and services, but this isn’t one of them.

Ulevitch said OpenDNS has responded by stretching DNS itself to work around Google’s efforts but his complaint calls attention to the risks involved when a big company with deep pockets is uber-aggressive about spreading its wings.

What if Google’s “error redirector” software has an exploitable security vulnerability?

I’ve put in a query to Google for a response to this. I’ll update this entry as necessary.