Google is no stranger to security issues, that’s for sure. They’ve had their fair share to deal with, and it doesn’t appear that it’s getting any better. Each time it’s serious business and the fact of the matter is, security will always be something that Google will need to viscously deal with.

One of the more recent incidences involves Gmail experiencing some issues with XSS holes (Cross-site scripting).  This is dangerous for users because it can expose their Google account information and even allow hackers to hi-jack a Gmail session, not to mention the fact that Google uses a single sign-on method.This issue has since been fixed, but the problems didn’t stop here.


Another recent incidence involves Google Desktop and a zero-day vulnerability. It’s explained best by Robert Hansen who has previously taken in-depth looks at security flaws:

  • User goes to Google and performs a search.
  • Man in the middle detects the action and proceeds to inject his own content.
  • The attacker injects a piece of JavaScript that creates an iframe to the target URL as well as makes the iframe follow the mouse. This is invisible to the user.
  • He then frames another search query to correctly position the content inside the follow mouse script.
  • As the evil search query loads, he injects a meta-refresh to reload the same page forcing Google Desktop to load. This could be any program already installed on the victim machine that is indexed by Google Desktop.
  • User inadvertently clicks on evil Google Desktop query which actually runs the associated program.

While Google may tout “don’t be evil,” that doesn’t mean that there isn’t evil lurking amongst their services. Case in point, here are some of the Google security issues we’ve already discussed:

  1. Google Exploit Found – Pretends to be Gmail Plus
  2. Gmail Flaw can Give Anyone your Contact List
  3. Another Google Security Flaw Found
  4. Google Desktop Patched to Prevent Computer Takeover

As always, users beware! Hansen says in regards to the zero-day-vulnerability with Google Desktop, “This should drive home the point that deep integration between the desktop and the web is not a good idea, without tremendous thought put into the security model.”

For those using Google Desktop, his statement gives you something to think about.

Source: Slashdot (Thanks for the tip Cory!)
Image Source