Digg this story   Add to del.icio.us  
Google Desktop flaw allows data theft
Robert Lemos, SecurityFocus 2007-02-21

Security firm Watchfire warned Google Desktop users on Wednesday to update the program to make certain that they are protected from a vulnerability that could allow an attacker to use JavaScript to search for and steal specific data on a user's system.

The attack, outlined in a paper (PDF) released by the firm, uses a cross-site scripting (XSS) flaw in the Google Desktop application in conjunction with any other XSS flaw in the Google.com domain to install malicious JavaScript on the user's computer. Using the technique, an attacker could create a JavaScript program that Google Desktop repeatedly runs, allowing the attacker to search a victim's computer using terms most likely to dredge up interesting data.

Google released an updated version of Google Desktop that fixes the local cross-site scripting flaw earlier this month, but many users may not have gotten the patch, said Danny Allan, director of security research for Watchfire. Because of the popularity of Google Desktop, there could be a large number of users with vulnerable systems.

"Undoubtedly, there are millions of people at risk today," Allan said.

A Watchfire researcher, Yair Amit, found indications of the vulnerability last October. the firm researched the issue in December and reported it to Google on January 4. The search giant released the updated Google Desktop client on February 1.

The Google Desktop software has the capability to automatically update itself with a more recent version, Google spokesman Barry Schnitt said in an e-mail interview with SecurityFocus. While he did not directly address the Watchfire's claims that millions of systems may still be vulnerable, Schnitt did stress that very few users should have to manually update.

"Almost all users will be automatically updated," Schnitt said. "However, there are some rare scenarios where users have turned off auto-update or the software fails to update. Thus, users should just verify that they have been auto-updated."

Schnitt said users should go the Google Desktop site and make sure they have the latest version, 5.0.701.30540.

JavaScript paired with one or more cross-site scripting flaws has increasingly become a significant vector for attacking PC users as they browse the Web. Researchers have warned that Web worms using JavaScript, cross-site scripting flaws and technologies such as AJAX will likely become more prevalent in the future. In 2005, a worm--dubbed Samy--spread among MySpace users, adding a user named "Samy" to the victim's friends list. Earlier this year, Adobe acknowledged that its Acrobat document reader also suffered from a cross-site scripting flaw that could be triggered by JavaScript.

As applications and Web sites increasingly incorporate online data services into their architecture--an evolving relationship often referred to as Web 2.0, securing the interrelated infrastructure becomes more difficult.

"Cross-site scripting (attacks) have become more popular in the last two years as more researchers understand their power," Yuval Ben-Itzhak, chief technology officer of Web security firm Finjan, said in an e-mail interview with SecurityFocus. "Web 2.0 is a good platform (in which) to use XSS, but many, many Websites are vulnerable (today) to XSS."

Google Desktop has a number of defenses, including filtering out any connections that do not originate from the user's computer and using pseudo-random 512-bit signatures to obfuscate the names of specific pages and prevent guessing.

To get around these defenses, the attack vector found by Watchfire requires the use of a cross-site scripting flaw affecting the Google.com domain. The company used a flaw it had found to demonstrate the issue to Google, and the search firm subsequently fixed the vulnerability. Using such a flaw, an attacker can run a Javascript program that garner the signature assigned to the user's PC. With that signature, the attacker can create valid URLs and switch the context from Google.com and take control over Google Desktop.

With the preliminaries over, an attacker can now focus on using a feature that allows searching in specific directories on the PC--the under parameter--to execute JavaScript in the context of Google Desktop and make it persistent, Watchfire said in the report. Using a cross-site scripting proxy, an attacker can maintain continued bi-directional communication with the compromised system.

The issues underscore that local programs, such as Google Desktop, that run on a user's PC but integrate closely with the Web or other servers on the Internet raise additional security issues, said Watchfire’s Allan. Developers of sites using such technologies need to be much more careful, he added.

"It underscores the bigger risks that we are seeing today in the more complex client-side execution of online applications," Allan said. "The lines are blurring between offline applications and Web applications and as that blurring continues to grow, we will only be at greater risk."

Google recommends that Google Desktop users download the latest version, which contains a patch for the cross-site scripting issue. The latest version also contains additional defenses against cross-site scripting attacks, Google's Schnitt said.

"In addition, we have (added) another layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future," Schnitt said.

However, the search giant did not further describe what additional defenses have been added to the program.

UPDATED: The article was updated with a disclosure timeline for the cross-site scripting flaw in Google Desktop and additional comments from Google stressing that a manual update of the software is likely unnecessary. In addition, several paragraphs were edited for clarity.

    Digg this story   Add to del.icio.us  
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus