Beware of that man between you and your Google Desktop

Beware of that man between you and your Google Desktop

Summary: A Web application security specialist has figured out a way to launch sophisticated man-in-the-middle attacks against a computer with a fully patched Google Desktop installed.


Last month, I wrote a piece about Robert Hansen's Mr-T (Master Recon-Tool), a powerful tool that harvests data leaking out of Web browsers. In the post, I talked about how these types of reconnaissance tools could be combined with sniffers and information from vulnerability databases to lay the groundwork for super-targeted attacks.

Google Desktop(SEE: Do you know what’s leaking out of your browser?)

Now, Hansen is taking the concept a step further with a scary demo of a zero-day vulnerability (video) in the Google Desktop search application, proving that information leaking out of your machine makes it easier for a hacker to prepare a sophisticated attack.

Hansen, a Web application security specialist known who uses the hacker name RSnake, has figured out a way to launch man-in-the-middle attacks against a computer with a fully patched Google Desktop installed.

The attack (see details and proof-of-concept) is purely theoretical (and somewhat complicated) but very plausible if an attacker is motivated enough to stalk the victim.

With knowledge of the Google Desktop security model (a combination of one-time tokens, iFrames and JavaScript), Hansen figured out a way to sit between a target launching a Google search query and manipulate the search results to take control of other programs on the desktop.

The long and short, as explained by Hansen:

  • User goes to Google and performs a search.
  • Man in the middle detects the action and proceeds to inject his own content.
  • The attacker injects a piece of JavaScript that creates an iframe to the target URL as well as makes the iframe follow the mouse. This is invisible to the user.
  • He then frames another search query to correctly position the content inside the follow mouse script.
  • As the evil search query loads, he injects a meta-refresh to reload the same page forcing Google Desktop to load. This could be any program already installed on the victim machine that is indexed by Google Desktop.
  • User inadvertently clicks on evil Google Desktop query which actually runs the associated program.

"This should drive home the point that deep integration between the desktop and the web is not

a good idea, without tremendous thought put into the security model. As Google's site is unencrypted, and they place their content that can run executibles on their site, it can be subverted by an attacker," Hansen warns.

Hansen's advisory come just days after a Chris Soghoian's exposé of a similar man-in-the-middle attack scenario against a remote vulnerability in the upgrade mechanism used by a number of commercial Firefox extensions.

That problem also affects Google directly since two Firefox add-ons offered by the search giant -- Google Toolbar and Google Browser Sync -- are updated via insecure channels.

It has been a tough week for Google on the security front. Outsiders recently stumbled upon a gaping hole in a Google service that allowed anyone to traverse up the directory root, browse folders and find weak database passwords.

Oh, by the way, Google also has a big problem with cross-site scripting issues that could really blow up because of the way Google Accounts ties everything together.

It might not seem a big deal, but all XSS holes in Google are really dangerous. And because Google deploys their single sign-on scheme by coupling Adwords, AdSense, GMail, iGoogle, Google Spreadsheet, and all their online services, they are creating a dangerous situation. Because if I can steal the session or cookie information, or bluntly hijack one account I've got them all. It may not happen just now, but who knows. Cutting them some slack isn't an option in my eyes, no one got more secure by cutting them slack.

Google has a very impressive security team in place that is regularly credited with finding bugs in third-party products but it looks like there's need for a massive in-house audit.

Topics: Google, Hardware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Anyone who integrates these "desktop tools" into their browser...

    ... is an idiot. You should *never* give an external party access to your desktop.

    If indexing your PC is important then buy an indexer. Installing the Google search bar is a sacking offence around here as it counts as unauthorised 3rd party software. Businesses are not toys.
    • The article is about Google Desktop not Google search bar

      And since the Enterprise version of Google Desktop can be configured to not use the internet or network with other computers it is fairly simple to install and use it in a completely safe manner that is not exposed to this vulnerability - even in the enterprise. So you can call me an idiot all your want but at least I know the difference between the two and am not falling prey to irrational fears.
      • Oops!

        [i]"The article is about Google Desktop not Google search bar"[/i]

        Indeed - sorry about that! I got the two mixed up.

        With Google desktop you still run the risk of disclosing information as some information is stored at Google and even if you cancel the account they can hold on to whatever data you leave behind for a period of time. Even taking your point that [i]"Google Desktop can be configured to not use the internet or network with other computers "[/i] if that is not the default for the install, then you know what most users will do.
  • Message has been deleted.

    • What the F##$$%!!!

      is this doing here? Last I heard, this was a TECH forum, not a soapbox for political hacks or the ilk. Google desktop and/or searchbar have nothing to do with immigrants, legal, illegal or otherwise. Take this diatribe to some other forum and let us talk about what matters here.
      • Hey

        immigrants use Google too :)
        John Zern
  • Frankly, we uninstall the preloaded Google Desktop from new PCs

    and don't install it on our older fleet of them, due to concerns over its reach and its reachability by others. There is enough spying software already coming from the IT dept, don't need to add good intended back and trap doors. Sorry Google, not everything you do is golden, just most things.
  • uh-oh

    I?m trying (desperately) to stay informed and be a responsible user and now I find I?ve become complacent once again. It never occurred to me to question Google?and no thank you, I am not interested in the bridge you?d like to sell me. So, now after I delete my Google desktop, I should also delete the Google toolbar, and access Google by typing in the address, right? And don?t use any Firefox add-ons? Always access a site by typing the address? I appreciate the depth of knowledge I find in the articles and in the responses.
    • I agree

      I'm trying to stay informed as well! I'm a fan of google's products, but I did away with google's desktop search and toolbar long ago. Security is a huge issue for me, and I'm glad these articles and comments keep me informed.
      Ray Reece