Google Desktop and IE Flaws Can Result in Phishing Attacks
Matton Gillon has unleashed a proof-of-concept report that explains how one can take advantage of Microsoft’s Internet Explorer to access personal information via Google Desktop. Gillon writes that recent intrigue at the possibility of utilizing Google Desktop for remote data retrieval of personal user data via a web site. And that “thanks to a severe design flaw in Internet Explorer, I managed to show it’s possible to covertly run searches on visitors to a web site by exploiting this vulnerability.”
Gillon goes on to explain the process at hacker.co.il in the posting “Google Desktop Exposed: Exploiting an Internet Explorer Vulnerability to Phish User Information“. Gillon explains the security holes in IE CSS imports and how Google Accounts can be accessed via Google Desktop:
Also, if a user is already logged on to a certain service (such as Gmail or hotmail) a malicious web page could have executed certain operations in the user’s account (such as opening an email and reading it) if the restrictions weren’t in place. In IE these restrictions are kept thoroughly but they are broken when it comes to CSS imports. I call this attack CSSXSS or Cascading Style Sheets Cross Site Scripting.
We’re looking forward to a response by Google on Gillon’s Google Desktop Phishing research.