Google Cookie lets you go anywhere

Not surprisingly there’s more announcements of google’s holes - they’ve fixed Aranzulla’s by the looks of things (by stopping any google desktop results from appearing in a web search, good choice) but they’ve still not fixed my google desktop one, although it’s now not exploitable unless you can first get in to the localhost so - look at what happens when getting a cached email message, the search string is written unencoded into the page - </script><script>alert(1)</script> will execute the script, tough to exploit without other bugs, but still shows poor programming practices.

The recent hole again shows they don’t really understand basic security principles - the cookie you get to authenticate you, lasts forever, isn’t tied to ip address or anything, it’s all you need to view gmail, google or anything. People who looked at my sample exploits will note I captured the cookie as part of one of the POC’s - don’t worry if you looked, I won’t be doing anything with the cookie.

The Google Cookie problem is pretty obvious, I’d considered it, but not bothere to check figuring that google couldn’t be that stupid to only use a cookie for authentication without basing it on a hash of other details of the request, I should never have underestimated Google’s ability to get security wrong.


  1. San Diego PC Help Says:

    This is a huge story. I can’t believe it’s being reported so slowly. How many people are already using the google desktop? How many more will use it?