Security researcher Robert Hansen has published details of a new attack on Google Desktop.
Basically, Hansen found a man-in-the-middle attack, this time placing an attacker between Google and someone launching a desktop search query. From this position, the attacker is able to manipulate the search results and possibly take control of other programs on the desktop.
A user of Google Desktop makes a search query that is intercepted by an attacker, according to Hansen. The attacker then injects Javascript that creates an invisible IFrame on the target URL page as well as makes the IFrame follow the user's mouse; the user is unaware. The attacker then injects more code to position a second query inside the user mouse IFrame.
As the second query executes, the attacker then forces a meta-refresh to reload the page, and that forces Google Desktop to load as well as any program indexed by Google Desktop the attacker may desire. When user clicks the evil Google Desktop query, the malicious program executes.
"This should drive home the point that deep integration between the desktop and the Web is not a good idea" since Google's site is unencrypted and therefore can be subverted by an attacker, Hansen wrote. But he notes there are two caveats here: one, you need to have Google Desktop installed, and two, the attacker must be sophisticated enough to launch a man-in-the-middle attack upon you.
To illustrate the attack, Hansen provided an online video demonstration.
