Wednesday, March 3, 2010

Google Gears for Attackers

Data Theft and Backdoor Placement Attacks on Google Gears’ Users

This paper describes multiple stealthy and remote attacks against users of Google Gears which could have impacts ranging from stealing the entire Gmail Inbox of the victim to setting permanent backdoors in popular sites like Gmail, MySpace, WordPress, Google Docs etc.
For a website to make use of Google Gears, the user should explicitly permit the site to make use of Gears. Once this is done the site can store data on the user’s hard disk, in the form of SQLite databases. The site can read, write and alter this database. Gears also lets the site to save and serve pages locally from the user’s system, in effect, creating a web server on the user’s system. All of Google Gears’ features are accessible using the Gears API from JavaScript.

Download PDF

No comments: