Google Desktop vulnerable to attack

Although rare, a sophisticated attacker could perform a man-in-the-middle attack using Google Desktop.

Security researcher Robert Hansen, aka RSnake, has published details of a new attack on Google Desktop. Basically, Hansen found a man-in-the-middle attack, this time placing an attacker between Google and someone launching a desktop search query. From this position, the attacker is able to manipulate the search results and possibly take control of other programs on the desktop.

The attack scenario plays out like this: a user of Google Desktop makes a search query that is intercepted by an attacker. The attacker then injects Javascript that creates an invisible IFrame on the target URL page as well as makes the IFrame follow the user's mouse; the user is unaware. The attacker then injects more code to position a second query inside the user mouse IFrame. As the second query executes, the attacker then forces a meta-refresh to reload the page, and that forces Google Desktop to load as well as any program indexed by Google Desktop the attacker may desire. When user clicks the evil Google Desktop query, the malicious program executes.

Hansen writes: "This should drive home the point that deep integration between the desktop and the Web is not a good idea" since Google's site is unencrypted and therefore can be subverted by an attacker. But Hansen notes there are two caveats here: one, you need to have Google Desktop installed, and two, the attacker must be sophisticated enough to launch a man-in-the-middle attack upon you.

To illustrate the attack, Hansen provided an online video demonstration.

 

ARTICLE DISCUSSION

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

Hot on CNET

CNET's giving away a 3D printer

Enter for a chance to win* the MakerBot Replicator 3D Printer and all the supplies you need to get started.