Phishing with Google Desktop

1 comment

Following a lead in el Reg , I found Security researcher Matan Gillon's write up of "Google Desktop Exposed: Exploiting an Internet Explorer Vulnerability to Phish User Information" There is a very full explanation, but the author's overview is

It was bound to happen. I was recently intrigued by the possibility of utilizing Google Desktop for remote data retrieval of personal user data (such as credit cards and passwords) through the use of a malicious web page. Now, thanks to a severe design flaw in Internet Explorer, I managed to show it's possible to covertly run searches on visitors to a web site by exploiting this vulnerability. In this article I will detail what the vulnerability in IE is and how it is used to exploit Google Desktop. If you have IE 6 and Google Desktop v2 installed you can test it for yourself in my proof of concept page.


Not Surprising

The one thing I'm always busting on Google about is the amount of bugs I find in their online tools and that they must not have a good code review and QA policy in place. Of course that'e mere speculation based on observations and my own past experience as a director of engineering developing large projects and knowing what SHOULD be done.

Well, if I'm even close to being right that Google isn't as polished in the code review and QA departments then translating those weaknesses and their 'release the beta' mentality into developing desktop software surely has some major implications to people installing their software.

For this very reason the only thing I've ever downloaded and installed from Google was Google Earth as I didn't want their toolbar [nor nayone else's toolbar] or desktop as it's just too integrated into the browser to be safe IMO.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.