Google Desktop and IE Flaws Can Result in Phishing Attacks
Matton Gillon has unleashed a proof-of-concept report that explains how one can take advantage of Microsoft’s Internet Explorer to access personal information via Google Desktop. Gillon writes that recent intrigue at the possibility of utilizing Google Desktop for remote data retrieval of personal user data via a web site. And that “thanks to a severe design flaw in Internet Explorer, I managed to show it’s possible to covertly run searches on visitors to a web site by exploiting this vulnerability.”
Gillon goes on to explain the process at hacker.co.il in the posting “Google Desktop Exposed: Exploiting an Internet Explorer Vulnerability to Phish User Information“. Gillon explains the security holes in IE CSS imports and how Google Accounts can be accessed via Google Desktop:
Normally, browsers impose strong restrictions for cross domain interaction through the web browser. A certain web page can make a user browse to a different domain. However, it may not read the content of the retrieved page nor manipulate any of its DOM objects. This restriction is imposed so one site owner wouldn’t be able to spy on a user’s surfing habits using Javascript.
Also, if a user is already logged on to a certain service (such as Gmail or hotmail) a malicious web page could have executed certain operations in the user’s account (such as opening an email and reading it) if the restrictions weren’t in place. In IE these restrictions are kept thoroughly but they are broken when it comes to CSS imports. I call this attack CSSXSS or Cascading Style Sheets Cross Site Scripting.
We’re looking forward to a response by Google on Gillon’s Google Desktop Phishing research.
