Google Desktop Cross-site scripting

An Application Security Trend Report has today been released by Cenzic Inc.

The top 10 vulnerabilities in Commercial and Open Source Web Applications from Q1 2007 included software offered freely by Google, called Google Desktop:

Multiple vulnerabilities were discovered in Google Desktop taht allow a remote attacker to conduct cross-site scripting attacks. The Desktop Preferences pages of Google Desktop does not properly filter script code from user input when using the “under” keyword. Under certain circumstances a remote attacker could exploit this vulnerability to compromise the machine running Google Desktop appliation. The code will be able to access data on the users system with privileges of the Google Desktop application.

In general, Cross-site scripting is where a web application gathers malicious data from a user. The malicious data could be in the form of a link on a webpage you have clicked on. The link will look just like a normal link, however the malicious portion of the link will have been encoded into the link. When clicked on, this link will create and send data to the encoder.

So how can Cross-site scripting affect you?

Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user (Read below for further details) in order to gather data from them. Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. New malicious uses are being found every day for XSS attacks. The post below by Brett Moore brings up a good point with regard to “Denial Of Service”, and potential “auto-attacking” of hosts if a user simply reads a post on a message board.

Google Desktop is a desktop search application enables you to search over your email, files, music, photos, chats, Gmail, web pages that you’ve viewed in the past. Once downloaded and installed Google Desktop starts indexing the email, files and web history stored on your computer.

For more information on Cross-site scripting and how you can be affected, visit CGI Security