December 07, 2005

IE Flaw + Lax Google Desktop Security = Very Fast Phishing

Now here's a very clever hack, using your own software tools against you:

Phishing with Google Desktop
The Register
Published Saturday 3rd December 2005 01:24 GMT

IE flaw lets intruders into Google Desktop
Published on ZDNet News: December 2, 2005, 1:31 PM PT

From CNET:

"This design flaw in IE allows an attacker to retrieve private user data or execute operations on the user's behalf on remote domains," Gillon wrote in his description of the attack method. He crafted a Web page that--when viewed in IE on a computer with Google Desktop installed--uses the search tool and returns results for the query "password."
The security researcher who found it is recommending the use of alternative browsers, such as Firefox and Opera, to be safe. Until a patch is developed, you may not want to use IE if you have Google Desktop installed. At least be very careful about which sites you visit, as the exploit requires a specially crafted web page.

From the articles, the flaw is in definitely in IE, but Google isn't above reproach: The Register reports, "The weight of responsibility for this flaw falls on Microsoft. But Google shares some blame too, for failing to take the integrity of your personal data seriously." "...this particular flaw wouldn't have been possible without careless programming by Google, which amazingly, fails to obey the Google Desktop security model on its own site."

Of course, other search phrases are possible. Call me a rebel, but it's times like these I'm thankful I've resisted the strong urge to install some of these free goodies, for exactly the privacy and security concerns that have abounded since a number of free desktop enhancement tools have been released in recent years. Yes, it's mainly an IE flaw, and desktop productivity software has its uses, but I've always thought it a good idea to be a bit leery of anything that wants full access to all my personal files and e-mails and is Internet-enabled. Today, it's IE and Google Desktop. Tomorrow, it'll be something else, but I guess that's what keeps it interesting.

Topic(s):   Privacy & Security
Posted by Jeff Beard