40by40 writes "A Web application security specialist has figured out a way to launch man-in-the-middle attacks against a computer with a fully patched Google Desktop installed. With knowledge of the Google Desktop security model (a combination of one-time tokens, iFrames and JavaScript), hacker Robert Hansen figured out a way to sit between a target launching a Google search query and manipulate the search results to take control of other programs on the desktop. From the article: 'This should drive home the point that deep integration between the desktop and the web is not a good idea, without tremendous thought put into the security model. As Google's site is unencrypted, and they place their content that can run executables on their site, it can be subverted by an attacker," Hansen warns. Hansen's advisory come just days after a Chris Soghoian's exposé of a similar man-in-the-middle attack scenario against a remote vulnerability in the upgrade mechanism used by a number of commercial Firefox extensions.'" Read more of this story at Slashdot.
 </img>
Read More about: Zero Day Hole in Google Desktop... |
