Picture theft through hole in Google’s Picasa
The finders of the URI holes in Firefox and Windows are now targeting Google. In their blog, Billy Rios and Nate McFeters have described how attackers may steal all pictures organised using Google’s picture gallery software Picasa from users’ hard disks: It seems that they were able to load pictures from a PC onto a manipulated web server by combining various attack methods, such as cross-application scripting, cross-site scripting, URI tricks and a flash with ActionScript.
As in the case of similar problems affecting other applications, the main source of this vulnerability is that Picasa registers the URI picasa:// during installation and can thus be accessed and partly controlled by web pages. Rios and McFeters have used this weakness to make their client believe that an important Picasa update has been made available on a manipulated web page, with the supposed update being triggered through a fake button. Instead of being directed to the Google pages, the user lands on a malicious server that copies the pictures from the hard disk. Since this process requires some time, a fake progress bar is displayed to simulate the download from Google’s Picasa web site.
According to Rios and McFeters, this kind of attack is rather complex and consists of several steps, requiring several scripts. They have however published most of these scripts, written by Rob Carter. The report on this vulnerability includes a series of pictures to illustrate the attack. There is no short-term solution to this problem, and deregistration of the URI is no real help either, since, according to Rios, key Picasa processes would in that case cease to function.
But these are not the only problems facing Google. For instance, Google Urchin, the install version of Google Analytics, contains a cross-site scripting vulnerability that can easily be exploited by web pages to steal the Google log-in data. A video demonstrates how the exploit works. The report also statesthat Google was informed of this problem on June 25 and is currentlyworking on a fix.
Other reports speak of an XSS vulnerability in Google’s Search Appliance, a scalable hardware and software package for enterprises, used to operate a search engine within corporate networks and on public web pages. This vulnerability could be exploited to manipulate the search results displayed to users.
Finally, XSS vulnerabilities on Google.com can be used to steal contact information and messages from Gmail accounts. These holes, which arebased on insufficient sanitization of the STYLE tags, have now been fixed.
- Say Cheeeeeese!, blog entry by Billy Rios
- Stealing Pictures with Picasa, blog entry by Billy Rios
- Google Urchin password theft madness, blog entry by Adrian Pastor
- Another XSS In Google Search Appliance, blog entry on ha.ckers.org
- Google Vulnerability, blog entry on bedford.org