June 1st, 2007
Beware of that man between you and your Google Desktop
Last month, I wrote a piece about Robert Hansen’s Mr-T (Master Recon-Tool), a powerful tool that harvests data leaking out of Web browsers. In the post, I talked about how these types of reconnaissance tools could be combined with sniffers and information from vulnerability databases to lay the groundwork for super-targeted attacks.
(SEE: Do you know what’s leaking out of your browser?)
Now, Hansen is taking the concept a step further with a scary demo of a zero-day vulnerability (video) in the Google Desktop search application, proving that information leaking out of your machine makes it easier for a hacker to prepare a sophisticated attack.
Hansen, a Web application security specialist known who uses the hacker name RSnake, has figured out a way to launch man-in-the-middle attacks against a computer with a fully patched Google Desktop installed.
The attack (see details and proof-of-concept) is purely theoretical (and somewhat complicated) but very plausible if an attacker is motivated enough to stalk the victim.
With knowledge of the Google Desktop security model (a combination of one-time tokens, iFrames and JavaScript), Hansen figured out a way to sit between a target launching a Google search query and manipulate the search results to take control of other programs on the desktop.
The long and short, as explained by Hansen:
- User goes to Google and performs a search.
- Man in the middle detects the action and proceeds to inject his own content.
- The attacker injects a piece of JavaScript that creates an iframe to the target URL as well as makes the iframe follow the mouse. This is invisible to the user.
- He then frames another search query to correctly position the content inside the follow mouse script.
- As the evil search query loads, he injects a meta-refresh to reload the same page forcing Google Desktop to load. This could be any program already installed on the victim machine that is indexed by Google Desktop.
- User inadvertently clicks on evil Google Desktop query which actually runs the associated program.
“This should drive home the point that deep integration between the desktop and the web is not
a good idea, without tremendous thought put into the security model. As Google’s site is unencrypted, and they place their content that can run executibles on their site, it can be subverted by an attacker,” Hansen warns.
Hansen’s advisory come just days after a Chris Soghoian’s exposé of a similar man-in-the-middle attack scenario against a remote vulnerability in the upgrade mechanism used by a number of commercial Firefox extensions.
That problem also affects Google directly since two Firefox add-ons offered by the search giant — Google Toolbar and Google Browser Sync — are updated via insecure channels.
It has been a tough week for Google on the security front. Outsiders recently stumbled upon a gaping hole in a Google service that allowed anyone to traverse up the directory root, browse folders and find weak database passwords.
Oh, by the way, Google also has a big problem with cross-site scripting issues that could really blow up because of the way Google Accounts ties everything together.
It might not seem a big deal, but all XSS holes in Google are really dangerous. And because Google deploys their single sign-on scheme by coupling Adwords, AdSense, GMail, iGoogle, Google Spreadsheet, and all their online services, they are creating a dangerous situation. Because if I can steal the session or cookie information, or bluntly hijack one account I’ve got them all. It may not happen just now, but who knows. Cutting them some slack isn’t an option in my eyes, no one got more secure by cutting them slack.
Google has a very impressive security team in place that is regularly credited with finding bugs in third-party products but it looks like there’s need for a massive in-house audit.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
