Watchfire Discovers Google Desktop Vulnerability That Hackers Could Exploit to Gain Full System Control

Waltham, MA - 21 February 2007

Web Application Security Leader’s Researchers Demonstrate New Generation of Computer Vulnerabilities Based on Interaction Between Desktop and Web Applications

Web application security leader Watchfire, today announced its security researchers have discovered a vulnerability in Google Desktop which could enable a malicious individual to achieve not only remote, persistent access to sensitive data, but in some conditions full system control.

Watchfire’s security researchers have uncovered a new attack methodology that clearly emphasizes the danger of integration between desktop applications and web-based applications as an aperture for a malicious attacker to escalate his/her privileges by crossing from the Web environment to the desktop application environment. This outcome is the combined result of the integration between the Google.com Web site and Google Desktop, and Google Desktop's failure to properly encode output containing malicious or unexpected characters.

This attack, described in a new research paper describes how the malicious logic acts as a parasite, using JavaScript code to control Google Desktop functionality. While evading current information protection systems, such as anti-virus software and firewalls, the attacker could covertly hijack sensitive local information. (For example: Office documents, media files, emails--in many cases, even deleted emails--chat sessions and files could be accessed.)

In this paper, Watchfire details the methodology of attack and provides a valid use case including a description of the basic technique and some theoretical outcomes. Finally, Watchfire provides fix recommendations that are appropriate for Google Desktop, as well as for many other web-based applications. Google has been responsive and has issued a patch which mitigates the immediate risk of the attack.

“Application security vulnerabilities need to be taken seriously. As the potential damage of a Cross Site Scripting attack against a desktop application with a Web interface is enormous, Web application security must be comprehensively evaluated and continually monitored,” said Michael Weider, founder and CTO, Watchfire. “Industry leaders like Google continue to make strides in security but due to the dynamic nature of applications vulnerabilities can surface.”

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development