Trying google security again.

Well the Google fix didn’t fix all the original issues I reported, I didn’t mention them in the exploit page as they only apply to a few minority browsers, but they’re there - so I’m trying again again, this time copying in two people at google who got in touch.

Not that I hold out much hope, the Google security guy hasn’t responded in the last 5 days to my simple request of how to actually report flaws since the email address doesn’t work (and I’ve heard from two other people who have had a similar lack of response after emailing them)

Hopefully Google will start responding and taking security reports seriously, I don’t hold out much hope, but if the flaws that exist in google desktop are made public, Google won’t be able to get it fixed in hours, people will be stuck with the old flawed, exploitable versions of Google Desktop they have now. If you’ve still got Google Desktop, Uninstall it now!.

Oh actually it looks like Salvatore Aranzulla has already publicised the Google Desktop flaw - whilst not quite the same as the one I found, it comes from the same root cause - Google developers writing untrusted data from the querystring straight into the page without encoding it.

Google, stop releasing products, get all your developers into a room, get some good developers who understand Security to explain it to everyone. Then review all your code and sites, get some tests written, get defensive and sort your security out now, before exploits start actually getting used. At the moment it’s ridiculously easy to find exploits in Google, and they don’t seem to be taking it seriously.

Users - uninstall Google Desktop, make Google a “Restricted site” in IE so script is disabled go to “tools - security - restricted sites” and add *, other browser users do the same, and start looking for different search or email solutions.


  1. puzzled_bear Says:

    Anybody with an iota of security cluefullness isn’t using IE and has javascript disabled already. Those that are browsing the web with script enabled IE, well, google is the least of their problems.

  2. Asbjørn Ulsberg Says:

    Thanks for warning me. Google Desktop is hereby uninstalled.

  3. Jim Ley Says:

    puzzled_bear, the exploit doesn’t just apply to IE, it applies to all script capable user agents, you can be sitting their thinking FireFox or Safari is immune, but it’s not, googles letting the script run there too. The problem is googles, if script gets in the page, the browser executes it, any browser.

  4. puzzled_bear Says:

    Jim, I know that and I think google should fix the issue. I also think the javascript issue should be fixed on a permament basis, by shipping UA’s with script fully disabled by default.

    I assure you no browser I run executes script from anywhere other than installed components and extensions ;-)

  5. Jim Ley Says:

    Oh right, puzzled bear, so your comments weren’t really about IE, but about default enabled scripting, something which applies to every script capable UA - have you tried posting a Mozilla enhancement request about this?

    In any case, it will not work, javascript is too important to too many websites, all it will do is turn users to a browser that does enable javascript by default, or you’re going to have to have some silly “X wants to execute script on this site” model which doesn’t work simply because users are not qualified to make those decisions.