Google Desktop vulnerable to attack
Posted by Robert Vamosi
Security researcher Robert Hansen, aka RSnake, has published details of a new attack on Google Desktop. Basically, Hansen found a man-in-the-middle attack, this time placing an attacker between Google and someone launching a desktop search query. From this position, the attacker is able to manipulate the search results and possibly take control of other programs on the desktop.
Hansen writes: "This should drive home the point that deep integration between the desktop and the Web is not a good idea" since Google's site is unencrypted and therefore can be subverted by an attacker. But Hansen notes there are two caveats here: one, you need to have Google Desktop installed, and two, the attacker must be sophisticated enough to launch a man-in-the-middle attack upon you.
Well, this comes as a bit of a shock to me at least, I'm just glad that I stopped using Google desktop ages ago.
What's really crazy is that the guy actually did a video demonstration of him hacking himself, granted, you can't really see what he's doing, but someone knowledgeable in this stuff (i.e. a hacker) could find the program he's using, and could possibly work out the code too.
There is also some other news too:
On this week's Security Bites podcast, I asked Robert Hansen, aka RSnake, the security researcher who disclosed the man-in-the-middle attack on the Google Desktop last week, what readers can do to avoid becoming a victim.
Hansen said: "They could turn off the integration between Google Desktop and the Web. Or they could wait for a patch to come out, which I'm sure there will be. Or my favorite answer is to uninstall the Google Desktop entirely.
"I'm not exactly quick to tell people to stop using applications, but Google Desktop's had, like I said (earlier), four vulnerabilities in the last couple of months. Plus, if you look at the latest man-in-the-middle attack against the Google Toolbar, which gives the attacker complete access to the computer, you kind of get the feeling that Google just doesn't know how to write secure desktop applications, not to mention the fact they're trying to go for a deeper integration with the Web in the future.
"So, if you need to have something on your drive, you can try Yahoo Desktop Search; it's faster and has nicer features, and it doesn't have that connection between the Web and the desktop."