 |
 Google fixes serious security flaw
October 22, 2004
The first flaw in Google's Desktop Search product has been discovered, and now fixed, according to the search giant. The JavaScript vulnerability that allowed third party websites to view the results of searches made on user's local hard drives and insert "phished" dialog windows has been thwarted.
It took Google four days to address the problem, and according to the Javascript expert who raised the alarm, it still hasn't been adequately patched.
According to a report posted to the Bugtraq Security Focus list on Wednesday, Google's new Desktop Search tool did not prevent a hacker from inserting JavaScript, a programming language, into the Web address of its page image, or logo. That vulnerability could have allowed any rogue third party to change the appearance of Google's Web page to ask for personal data such as credit card numbers from its visitors, what's known as a phishing scam, according to the warning.
Software developer Jim Ley, who maintains the comp.lang.javascript FAQ, announced the flaw on Monday on his weblog. But nobody noticed. Ley's email message to security@google.com bounced. He looked in vain for a security hotline number.
On Tuesday he demonstrated an ingenious potential application of the bug: a phishing exploit that announced that Google was becoming a subscription service, and invited victims to enter their credit card details. Still no response.
Only after Google have finally seen the post on the Security Focus BugTraq mailing list, then it took some action. Yet, it couldn't explain why it didn't have a working email or phone contact for security alerts, but according to Jim, insisted that he remove the phishing example.
As Jim Ley writes: "Hopefully Google will get in touch explain what went wrong with the communication of the issue, hopefully Google will realise that a phone number of the security team on the web would also help."
"The fix they put in place is still flawed, it relies on special casing the vbscript, javascript and perlscript strings, meaning other language protocols are still at risk in IE with its multiple scripting language capability."
The problems of this scope began after Google Corp. has released its newest Web search product--a tool to search the files on a PC alongside Web pages. Security experts have scrutinized the technology, and reported some interesting findings.
The problem with Google's script-insertion vulnerability may have existed for as long as two years. But with the addition of Google Desktop, the flaw became more serious, said Jim, because "it places the results of a desktop search into the output of a regular Google search." He said that the flaw could have allowed third parties to make a record of all the searches people make.
|
|
