Google Desktop flaw allows data theft
Robert Lemos, SecurityFocus 2007-02-21
Google released an updated version of Google Desktop that fixes the local cross-site scripting flaw earlier this month, but many users may not have gotten the patch, said Danny Allan, director of security research for Watchfire. Because of the popularity of Google Desktop, there could be a large number of users with vulnerable systems.
“Undoubtedly, there are millions of people at risk today,” Allan said.
A Watchfire researcher, Yair Amit, found indications of the vulnerability last October. the firm researched the issue in December and reported it to Google on January 4. The search giant released the updated Google Desktop client on February 1.
The Google Desktop software has the capability to automatically update itself with a more recent version, Google spokesman Barry Schnitt said in an e-mail interview with SecurityFocus. While he did not directly address the Watchfire’s claims that millions of systems may still be vulnerable, Schnitt did stress that very few users should have to manually update.
“Almost all users will be automatically updated,” Schnitt said. “However, there are some rare scenarios where users have turned off auto-update or the software fails to update. Thus, users should just verify that they have been auto-updated.”
Schnitt said users should go the Google Desktop site and make sure they have the latest version, 5.0.701.30540.
As applications and Web sites increasingly incorporate online data services into their architecture–an evolving relationship often referred to as Web 2.0, securing the interrelated infrastructure becomes more difficult.
“Cross-site scripting (attacks) have become more popular in the last two years as more researchers understand their power,” Yuval Ben-Itzhak, chief technology officer of Web security firm Finjan, said in an e-mail interview with SecurityFocus. “Web 2.0 is a good platform (in which) to use XSS, but many, many Websites are vulnerable (today) to XSS.”
Google Desktop has a number of defenses, including filtering out any connections that do not originate from the user’s computer and using pseudo-random 512-bit signatures to obfuscate the names of specific pages and prevent guessing.
The issues underscore that local programs, such as Google Desktop, that run on a user’s PC but integrate closely with the Web or other servers on the Internet raise additional security issues, said Watchfire’s Allan. Developers of sites using such technologies need to be much more careful, he added.
“It underscores the bigger risks that we are seeing today in the more complex client-side execution of online applications,” Allan said. “The lines are blurring between offline applications and Web applications and as that blurring continues to grow, we will only be at greater risk.”
Google recommends that Google Desktop users download the latest version, which contains a patch for the cross-site scripting issue. The latest version also contains additional defenses against cross-site scripting attacks, Google’s Schnitt said.
“In addition, we have (added) another layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future,” Schnitt said.
However, the search giant did not further describe what additional defenses have been added to the program.
UPDATED: The article was updated with a disclosure timeline for the cross-site scripting flaw in Google Desktop and additional comments from Google stressing that a manual update of the software is likely unnecessary. In addition, several paragraphs were edited for clarity.