Navigation

Serious XSS Flaw in Google Desktop Allows Data Theft

Last updated: September 9, 2015 | 5,047 views

Google has fixed a security flaw in its desktop search software that created a means for hackers to rifle through personal files on users’ PCs.

A failure in Google Desktop to “properly encode output containing malicious or unexpected characters” created a means for hackers to cross from the web environment to the desktop application environment.

So if you are running Google Desktop we suggest you update it ASAP.

The attack, outlined in a paper (PDF) released by the firm, uses a cross-site scripting (XSS) flaw in the Google Desktop application in conjunction with any other XSS flaw in the Google.com domain to install malicious JavaScript on the user’s computer. Using the technique, an attacker could create a JavaScript program that Google Desktop repeatedly runs, allowing the attacker to search a victim’s computer using terms most likely to dredge up interesting data.

Google released an updated version of Google Desktop that fixes the local cross-site scripting flaw earlier this month, but many users may not have gotten the patch, said Danny Allan, director of security research for Watchfire. Because of the popularity of Google Desktop, there could be a large number of users with vulnerable systems.

Read More:

Google Desktop flaw allows data theft
Google patches critical desktop flaw
Serious Flaw in Google Desktop Prompts Patch

0 Shares

Posted in: Exploits/Vulnerabilities, Hacking News

cross-site-scripting, google, google-desktop, hacking-google, XSS

Latest Posts:

dSploit APK Download - Hacking & Security Toolkit For Android

dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.

January 15, 2020 - 122 Shares

Scallion - GPU Based Onion Hash Generator

Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).

January 10, 2020 - 196 Shares

WiFi-Dumper - Dump WiFi Profiles and Cleartext Passwords

WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords
WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine.

December 19, 2019 - 299 Shares

truffleHog - Search Git for High Entropy Strings with Commit History

truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.

December 2, 2019 - 169 Shares

AIEngine - AI-driven Network Intrusion Detection System

AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.

November 25, 2019 - 143 Shares

Sooty - SOC Analyst All-In-One CLI Tool

Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.

November 1, 2019 - 162 Shares

Why Blurring or Mosaicing Important Information is a BAD Idea

LFT – Layer Four Traceroute and WhoB

Comments are closed.