Internet Explorer/Google Desktop Flaw

December 2nd, 2005

An unpatched design flaw in Microsoft Corp.’s Internet Explorer browser could give malicious hackers an easy way to use the Google Desktop application to covertly hijack user information.

Matan Gillon, a hacker from Israel, discovered the vulnerability in the cross-domain protections in Internet Explorer and published a proof-of-concept exploit to show how Google Desktop can be cracked.

"The proof of concept works on a fully patched IE browser (default security and privacy settings) with Google Desktop v2 installed," Gillon said in a note sent to Ziff Davis Internet News.

A detailed explanation and proof of concept has been published online.

The explanation also covers the browser same origin policy. The same origin policy basically stops one website from reading the contents of another website using an IFRAME or XmlHttpRequest. If the same origin policy did not exist,someone could write some Javascript to send a request to eBay and then use the DOM to "steal" private information.

This flaw works by using a flaw in the same origin policy and Internet Explorer’s liberal parsing to basically do this. This flaw isn’t really the fault of Google Desktop; I presume Google Desktop is being mentioned because combined with Internet Explorer, it allows an attacker to steal credit card information, bank statements, e-mails and more.

If you use an alternative browser such as Firefox, you are in-vuln-er-able Rodney style.