Man in the middle attack threatens Google Desktop

By Justin Mann on June 1, 2007, 6:27 PM
A clever hacker has discovered a vulnerability in Google Desktop, exploiting a man-in-the-middle attack that could lead to someone becoming unknowingly compromised. It is a somewhat complicated attack and would require that the attacking person would have access to your local network or some other way of accessing data being transmitted between you and Google's servers:

With knowledge of the Google Desktop security model (a combination of one-time tokens, iFrames and JavaScript), Hansen figured out a way to sit between a target launching a Google search query and manipulate the search results to take control of other programs on the desktop.
Regardless of its difficulty, it brings out a good point in that the more integration between a desktop and a remote server, the higher the chance of something going wrong, especially with unencrypted data. That's not what companies like Google and Microsoft want to hear, who are pushing for web applications and even remote work environments as a next step in desktop and office computing.

Google has their own security team, and doubtless they'll be looking at this problem. While I disagree with the assertion that models like Google Desktop are flawed, there's clearly room for improvement and risking personal security is definitely not something Google wants to get a name for.




User Comments: 2

Got something to say? Post a comment
kitty500cat said:
This only works if you're Googling something via Google Desktop, right?
gills.james said:
I don't understand what the appeal is with the Google desktop. When I installed it on my laptop I had major performance issues. That there are security holes in this application is not surprising at all. java script  has enough security issues without adding in an application like google desktop which essentially tears apart the the browser's protection of the desktop. I think that google desktop was a really bad idea. It's not even a useful program. I prefer to see web applications like [url]http://christonium.com[/url] which appears to eliminate the possibility of these kind of security issues completely (by blocking scripts) while providing a dynamic and useful service focused on maintaining user privacy and security.It seems like these problems will only become more pervasive as time goes on. People often perceive things from google as safe because they are large. In fact, google is probably one of the most aggressive user data mining operations on the web The solution to these problems is simple. Internet companies need to start looking more like [url]http://christonium.com[/url] where user privacy and security is put first. [url]http://christonium.com[/url] is literally the only site on the web I can think of which has implemented a secure and practical user environment. They put Google to shame.
Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.