[ISN] Second Google Desktop attack reported

From: InfoSec News (alerts@private)
Date: Sun Feb 25 2007 - 23:14:27 PST


By Robert McMillan
IDG News Service
February 23, 2007

Google's PC search software is vulnerable to a variation on a 
little-known Web-based attack called anti-DNS pinning that could give an 
attacker access to any data indexed by Google Desktop, security 
researchers said this week.

This is the second security problem reported this week for the software. 
On Wednesday, researchers at Watchfire said they'd found a flaw that 
could allow attackers to read files or run unauthorized software on 
systems running Google Desktop.

As with Watchfire's bug, attackers would first need to exploit a 
cross-site scripting flaw in the Google.com Web site for this latest 
attack to work, but the consequences could be serious, according to 
Robert Hansen, the independent security researcher who first reported 
the attack. "All of the data on a Google desktop can now be siphoned off 
to an attacker's machine," he said.

Cross-site scripting flaws are common Web server vulnerabilities that 
can be exploited to run unauthorized code within the victim's browser.

Hansen, who is CEO of Sectheory.com, did not post proof of concept code 
for his attack, but he said that he has "tested every component of it, 
and it works." He has posted some details of how Google Desktop data 
could be compromised on his blog.

Google said it was investigating Hansen's findings. "In addition, we 
recently added another layer of security checks to the latest version of 
Google Desktop to protect users from vulnerabilities related to Web 
search integration in the future," the company said in a prepared 

Anti-DNS pinning is an emerging area of security research, understood by 
just a handful of researchers, said Jeremiah Grossman, CTO at WhiteHat 
Security. The variation of this attack described by Hansen manipulates 
the way the browser works with the Internet's DNS in order to trick the 
browser into sending information to an attacker's computer.

"Once you can re-point Google to another IP address, instead of Google 
getting the traffic, the bad guy does," he said.

Because this type of attack is so difficult to pull off and is poorly 
understood, it is unlikely to be used by the criminals any time soon, 
Grossman said. But anti-DNS pinning shouldn't be ignored, he added. "We 
should keep our eyes on it in case the bad guys shift gears."

News of the attack comes as Google is trying to enter the desktop 
productivity market. On Thursday, Google launched a suite of Web-based 
collaboration software, called the Google Apps Premier Edition, that 
analysts say could become a competitor to Microsoft Office.

The troubling thing about the attack Hanson identified, which he calls 
anti-anti-anti-DNS pinning, is that there is very little that can be 
done to avoid it short of eliminating cross-site scripting 
vulnerabilities on the Web.

"This is really just fundamentally about how browsers work," he said. 
"If you allow a Web site to have access to your drive -- to modify, to 
change things, to integrate, or whatever -- you're relying on that Web 
site to be secure."

Hansen and Grossman say that Google is not the only company vulnerable 
to a growing category of Web-based attacks. For instance, MySpace.com 
was hit when a fast-moving worm spread through the MySpace community in 
early December, stealing MySpace log-in credentials and promoting adware 
Web sites.

"A lot of these new attack techniques are going to require the browsers 
to improve," Grossman said. "The users really have very little ability 
to protect themselves against these attacks" he said. "It's very bad. 
Even the experts are afraid to click on each other's links anymore."

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Sun Feb 25 2007 - 23:19:44 PST