Thursday, March 4, 2010
Google Gears for Attackers
Google Gears is a free and open source project from Google that provides some powerful features to both web applications and site users. Browsers like Google Chrome and SRWare Iron come with Gears pre‐installed. Users of other browsers can install Google Gears on their systems to experience these features.
This paper describes multiple stealthy and remote attacks against users of Google Gears which could have impacts ranging from stealing the entire Gmail Inbox of the victim to setting permanent backdoors in popular sites like Gmail, MySpace, WordPress, Google Docs etc.
If an attacker controls the DNS server or is able to inject his data in to the user’s HTTP traffic then an attacker can serve content for a site that has been permitted by the user to use Gears. When this happens the attacker can exploit the features provided by Google Gears to cause serious and long‐lasting damage to the victim.
In traditional attacks in this scenario, the attacker would get the credentials of the user directly if the login is on HTTP. If it is on HTTPS then the attacker could perform a SSL MITM which is noisy or could strip off the SSL layer which is stealthier. A smart user might detect these attacks so alternatively the attacker could let the authentication happen securely on HTTPS and capture the post authenticated cookie, since most sites switch back to HTTP after authentication. All of these attacks depend entirely on the user entering his credentials which takes the control away from the attacker.
The attacks described in this paper could result in long‐term compromise and do not require user interaction, the attack duration is typically a second or two and is virtually undetectable by the user. Gears is a new technology which creates possibilities for new types of attacks to be carried out against the user. This paper discusses in details the various attacks that can be performed using the Database and LocalServer modules of Google Gears.
Interestingly the local database and content caching features are also part of HTML5. Attacks of similar nature to the ones described in this paper does work on HTML5 as well. However, no popular site has been found to use these features of HTML5 yet, hence this paper only focuses on Google Gears.