Watchfire just released a whitepaper on Overtaking Google Desktop which is a thought-provoking read. It essentially exploits the mechanism by which Google Desktop hooks the browser in order to inject links to the local Google Desktop instance when the user performs a typical online Google search. There are a couple of gating factors to making this attack viable -- the initial attack vector requires an exploitable XSS vulnerability in, and the victim must have Google Desktop's browser integration feature enabled. An added twist is that a successful attack essentially gets cached by Google Desktop (since it is based on an advanced search preference) and could persist indefinitely. Really nice work by the Watchfire research team.

More important than the vulnerability itself is the fact that this further blurs the boundaries between web-based and desktop-based attacks. What other pieces of desktop software might potentially be manipulating browser content to provide some level of seamless browser integration? Any standalone application that wants to introduce functionality that integrates with their website (or others) could fall into this category -- RSS readers, news readers, BitTorrent clients, instant messaging applications, etc. Local HTTP servers in desktop applications are not too uncommon and will become more prevalent as the web browser becomes the primary user interface for everyday tasks.

Should web browsers really permit arbitrary desktop applications to manipulate the content of pages, without explicit permission from the user? Providing a way to disable this behavior would be one step toward re-establishing boundaries in the interest of security.

About Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.