You are invited to Log in or Register a free Frihost Account!

Google Desktop Security Alert

Manofgames wrote:

Google Desktop vulnerable to attack
Posted by Robert Vamosi

Security researcher Robert Hansen, aka RSnake, has published details of a new attack on Google Desktop. Basically, Hansen found a man-in-the-middle attack, this time placing an attacker between Google and someone launching a desktop search query. From this position, the attacker is able to manipulate the search results and possibly take control of other programs on the desktop.

The attack scenario plays out like this: a user of Google Desktop makes a search query that is intercepted by an attacker. The attacker then injects Javascript that creates an invisible IFrame on the target URL page as well as makes the IFrame follow the user's mouse; the user is unaware. The attacker then injects more code to position a second query inside the user mouse IFrame. As the second query executes, the attacker then forces a meta-refresh to reload the page, and that forces Google Desktop to load as well as any program indexed by Google Desktop the attacker may desire. When user clicks the evil Google Desktop query, the malicious program executes.

Hansen writes: "This should drive home the point that deep integration between the desktop and the Web is not a good idea" since Google's site is unencrypted and therefore can be subverted by an attacker. But Hansen notes there are two caveats here: one, you need to have Google Desktop installed, and two, the attacker must be sophisticated enough to launch a man-in-the-middle attack upon you.

Well, this comes as a bit of a shock to me at least, I'm just glad that I stopped using Google desktop ages ago.
What's really crazy is that the guy actually did a video demonstration of him hacking himself, granted, you can't really see what he's doing, but someone knowledgeable in this stuff (i.e. a hacker) could find the program he's using, and could possibly work out the code too.

There is also some other news too: wrote:

On this week's Security Bites podcast, I asked Robert Hansen, aka RSnake, the security researcher who disclosed the man-in-the-middle attack on the Google Desktop last week, what readers can do to avoid becoming a victim.

Hansen said: "They could turn off the integration between Google Desktop and the Web. Or they could wait for a patch to come out, which I'm sure there will be. Or my favorite answer is to uninstall the Google Desktop entirely.

"I'm not exactly quick to tell people to stop using applications, but Google Desktop's had, like I said (earlier), four vulnerabilities in the last couple of months. Plus, if you look at the latest man-in-the-middle attack against the Google Toolbar, which gives the attacker complete access to the computer, you kind of get the feeling that Google just doesn't know how to write secure desktop applications, not to mention the fact they're trying to go for a deeper integration with the Web in the future.

"So, if you need to have something on your drive, you can try Yahoo Desktop Search; it's faster and has nicer features, and it doesn't have that connection between the Web and the desktop."
I never use it, my friend told me it lagged his computer and he got a virus after installing it and using a few times. I never had the need to use it, now i wont ever use it Very Happy
As of when these things belong in the General Chat?

Moved to Software.
this is just what you should called "media hype", with nothing news worthy today, they just put any crap they can get hold to, so that they can continue publish something and get paid.

this Robert Hansen a.k.a rsnake, have some personal vendetta against google. nobody really know or understand why. maybe an FBI profiler can come up with something. you can just visit his site to see how much he hates google.

his man-in-the-middle attack against google desktop is purely theoretical and complicated, and the attacker need to be motivated enough to stalk the victim personally, not on large scale to million of Internet users world wide, and have to be on standby 24-7 for the victim to use google desktop to serach at google server and manually inject the fake code and fetch the search result from google and inject it back.

tried as hard as he could, he can never crack into even a single google's employee's PC that is running a vulnerable instance of google desktop, even he already boost that he have all their IP addresses after they visit his site, and he managed to get hold of their physical address, telephone number, school they attended, all via other means, not through his "skill" which he keep boosting about. of course, i'm sure he spent an awful lot of time to do whois on all the IP to know that it's from google's office.

of course, his video demo is just a dummy where every parameter has been set in advance.

oh, did I mention Mr Robert Hansen is confused with the term hacker and cracker? He obviously didn't run a site about programming.
Related topics
Google Hacked?
Google Adsense - *OFFICIAL THREAD*
Google turns 7
Desktop search
Google Upgrades its Desktop to 2.0
Google Talk Options
Google pack
Google launching 4 new apps.
Google update! New Products!
FriHost member proud of new widget!!
Google Desktop Search
Google Desktop does not work
Google desktop goes Linux
Reply to topic    Frihost Forum Index -> Computers -> Software

© 2005-2011 Frihost, forums powered by phpBB.