Google security flaw exploited.

I’ve mentioned the google script insertion flaw before, Google don’t seem to want to do anything about it, I’ve emailed, but have had no response from them, well I got automated responses (that latest had number #15585565 in the subject no idea what that means).

Google Desktop has made the exploit even more dangerous - because it places the results of a desktop search into the output of a regular google search, the exploit now allows the capturing of information from the local computer - okay it’s not much information, but how long is a password or a credit card number? It’s also able to capture all the searches you make, and the ads/links you click and report them to a 3rd party site.

The exploit is a simple script insertion flaw, the image url of a custom search isn’t sanitised against javascript (well it was actually sanitised a little after my original report two years ago, but in a very incompetent way which suggests they didn’t actually test or understand the issue) so with a link, or a custom form you can inject script into google - which can then load any amount of script from a 3rd party site.

The exploit is trivial, and to get a user to use it, any of the popular “search my site” google forms can do it, or after a link to google . My sample google exploit is pretty poor, it tends to error with some strange timing issues occasionally (the data is still sent though), it only works in IE (the google desktop results are only inserted in IE, but the general security flaw is common to many browsers, it’s not an IE security flaw) but it shows how easily it can be done - it took me half an hour, more malicious users could make it neater easily.

To protect yourself from the flaw, you can use another search engine, or ensure you only use google from - ensuring there’s nothing in the query string before you do a search, or disable javascript. I’d also recommend uninstalling Google Desktop, the Google toolbar, and any other google product simply because well over 2 years to fix a trivial security issue that should never made it past the most basic QA from the most inexperienced javascript tester suggests a serious problem with understanding the basics of security.