Cenzic 232 Patent
Paid Advertising
web application security lab

Google Plugs XSS Hole in Google Desktop

It took a “few weeks” but better late than never. After a few weeks Google finally fixed the XSS hole that Watchfire found in Google Desktop. The flaw would enable attackers to read personal files from users who used Google Desktop. Apparently Google has now instituted additional layers of security to protect against their coding flaws. To quote the article:

“We’ve added an additional layer of security checks to prevent the types of attacks pointed out by Watchfire and future possible attacks through this vector as well,” [Schnitt] wrote.

Why am I not impressed by those words? Suffice it to say, neither is Watchfire:

“There’s a high potential for this to happen again,” Weider said.

Yup, but let’s finish Mike Weider’s sentence since it’s incomplete: There is a high potential of Google creating desktop products that endanger their users’ privacy again. Whenever you try to web-enable services, which Google is hyper interested in doing so they can track everything you do and integrate things more seamlessly, you are creating a huge hole.

Just because you add an additional layer of security does not make the concept secure. Of course no one will abandon this path only making the hole bigger and more complex with time. However, it is my opinion that it is only a matter of time until these types of exploits are being written into viruses. A “few weeks” is actually almost a month by my calendar (Jan 4th to Feb 1st) and that is just way too long to respond to a critical threat like this.

3 Responses to “Google Plugs XSS Hole in Google Desktop”

  1. anon Says:

    not new.
    http://www.hacker.co.il/security/ie/css_import.html

  2. Hong Says:

    @anon
    It is different, it is a persistent XSS hole in Google Desktop.

    @RSnake
    I don’t know why Watchfire said the flaw had been fixed on Feb 1st, as I know, Google Desktop 4.5 - 5.0.701.18382 does not affect, and it released on the middle of January.
    I do not agree with Google spokesman, he said that “the desktop search software gets automatically updated, so users do not need to take any steps to protect themselves.”. In fact, desktop search doesn’t get automatically updated if your system is not running as administrator, my desktop software never gets updated automatically because I won’t login my system as administrator.
    I don’t know why google doesn’t announce their flaw and suggest users update software even the flaw had been fixed.

  3. Doorway blog » Blog Archive » Дыра в google десктопе продолжение Says:

    […] А вот тут имеются интересные высказывания по этому поводу: Google Plugs XSS Hole in Google Desktop Google Desktop - The Saga Continues […]