…the bad guys behind the attack appeared to capitalize on an odd feature of Google’s sponsored links. Normally, when a viewer hovers over a hyperlink, the name of the site that the computer user is about to access appears in the bottom left corner of the browser window. But hovering over Google’s sponsored links shows nothing in that area. That blank space potentially gives bad guys another way to hide where visitors will be taken first.
Rain • May 1, 2007 7:45 AM
This destination hiding is actually why I never click on Google ads (or flash ads, or any other non-HTML links). I wonder if this is a significant barrier to click-through, or just a hang-up of a (justifiably) paranoid few?
Anonymous • May 1, 2007 7:53 AM
I never click on Google’s sponsored links because I don’t see the need to… The best sites come at the top of my results anyhow.
Fred Flint • May 1, 2007 8:14 AM
It’s kind of interesting that when I have Scripts turned off, I can see a bunch of ‘nonsense’ link information but if I turn Scripts on, I get a blank area.
That tells me the Scripts on the page are designed to blank out the destination, probably because it’s just internal Google accounting and not a standard Internet address – so it’s useless anyway.
It also tell me Google ‘should’ know where each link goes, since they are capturing the information and essentially re-sending you there, just like the bad guys do. That ought to make this scam easy to stop, once they’ve figured out who/where the bad guys are.
I also guess that’s where the bad guys got the idea in the first place!
Longwalker • May 1, 2007 8:14 AM
The real flaw here is that browsers allow blind links in the first place. Users should always be able to tell where a link goes before clicking on it.
Some Guy • May 1, 2007 8:21 AM
Perhaps it would be useful for a browser to, whenever javascript redirects the browser, to pop up a dialog and ask for approval, since you haven’t had a chance to see where it’s going till then.
Lisa • May 1, 2007 8:27 AM
@Rain
“This destination hiding is actually why I never click on Google ads (or flash ads, or any other non-HTML links). I wonder if this is a significant barrier to click-through, or just a hang-up of a (justifiably) paranoid few?”
I agree. It’s a security hole, and honestly, if the link does turn out to be “safe,” I figure if the person posting the link is so ashamed that they want to hide the ultimate destination, it can’t be that great of a destination anyway.
perlmaster • May 1, 2007 8:31 AM
In Firefox and some other browsers you can disable the feature that JavaScript can change the status line or do some other stuff like catch the click of the right mouse button. That’s quite useful. And there are extensions which offer even more control.
perlmaster • May 1, 2007 8:31 AM
In Firefox and some other browsers you can disable the feature that JavaScript can change the status line or do some other stuff like catch the click of the right mouse button. That’s quite useful. And there are extensions which offer even more control.
Mathinker • May 1, 2007 8:49 AM
As I posted on Slashdot when this topic came up, if you use Firefox + NoScript and only authorize the google.com domain, clicking on these predatory ad links isn’t going to be much of an issue, because most browser attacks nowadays are via Javascript vulnerabilities (it doesn’t hurt with respect to the non-Javascript ones that I’m running Linux, either).
I click on Google Ad-Sense ads freely from websites I want to support, knowing that NoScript will block most nefarious attacks. Actually, in >95% of the cases, the site I get to doesn’t display properly, and I never enable Javascript just to see advertising… their loss!
I’m skeptical that letting the user see the URL the link points to would do anything. I consider myself an informed computer user, but I don’t know a way to look at a link and know if it’s safe or not. It’s just not possible in general. Sure, if I was expecting a particular company’s website, then I would notice that the url was wrong compared to what I expected. But there are plenty of links I click on every day that point to websites I’ve never been to before. I have no way of knowing if they are safe or not.
The attackers can just change tactics — say by pretending to be a legitimate retailer that sells something at slightly below market price. Users would have no way of knowing if the link was safe or not, even if they could see it, because they would have no way of knowing what it should be.
Or they can always register something convincingly close, like better-busines-bereau.org, with only one s in business). The success of phishing attacks shows that this works.
While telling the user where a link really points to helps them, it does not help them enough to avoid this problem. We need to focus on the underlying problem, not a distracting feature.
nostromo • May 1, 2007 9:29 AM
“The attackers exploited a flaw in Microsoft’s Internet Explorer Web browser”
[yawn] So it’s the zillion-and-one’th way to exploit MSIE? Why is this news?
Michael • May 1, 2007 10:20 AM
In reading through the comments on the Washington Post article, I am struck by the number that blame the user. We, the digerati, we the security savvy, are a fraction of 1% of the users on the Web. Google was exploited. Google with all of their Phd’s, was the attack vector. The bad guys signed up with Google, potentially paid Google a fee, and used a flaw in Google’s system to attack users. Allow me to be the first to go on record, “This was Google’s fault.”
SteveJ • May 1, 2007 10:47 AM
Particularly worrying, considering that Google’s sponsored links (and their search results) display in green the URL they supposedly refer to.
In the image accompanying the article, this is “www.bbb.org”.
So, apparently Google allow the advertiser to control this text, which exacerbates this particular attack: not only does the user get nothing in the status bar, they actually get misleading information which appears to come from Google. As Michael says, this is Google’s fault.
The blank status bar is a red herring. The article fails to realise that it isn’t part of this attack. The URL that would be displayed is just an address on a Google domain, and Google’s server redirects you to the advertiser’s site. The attack would work just as well even if Google didn’t hide the status bar URL.
You can’t rely on a status bar URL for any sort of security, if it just points to a service like Google which you know is going to redirect you to an unrelated domain, without vetting the contents. The only way Google could prevent this attack vector is by finding a way to ensure that either its advertisers are trustworthy, or it’s users’ browsers are bulletproof: the Javascript is nothing to do with it.
As an aside, my status bar shows no URL for Google sponsored links even with “change the status bar text” disabled in Firefox’s Javascript options. Disabling Javascript entirely restores the URL, which is always on Google’s server. So it seems that Google is additionally exploiting some flaw in Firefox in order to hide the URL even when the user wants to see it.
Fenris Fox • May 1, 2007 10:53 AM
@Fred Flint:
That’s why I like NoScript for Firefox so much.. keep the scripting off until it’s needed.
And BTW – NoScript comes with Google pre-whitelisted. Anyone who uses NoScript, IMO, should remove the pre-whitelistings…
On the other hand, that may break Gmail – but I use a client for Gmail anyway… =xoD
[NOT OE!]
SteveJ • May 1, 2007 10:58 AM
@Some Guy:
“whenever javascript redirects the browser, to pop up a dialog and ask for approval”
Just for information, Google doesn’t use a Javascript redirect, it’s a 302 response from their server (apparently via “eu.decdna.net” in the case I looked at, which is another redirecter owned by Real. I don’t know what’s going on there.)
The HTTP spec has various things to say about redirects. In short, browsers are not expected to warn and query the user if an HTTP GET is redirected to another domain. 302s are therefore so common, even between domains, that it would probably be too obtrusive to have to dismiss a dialog every time one happens. In the case I looked at, there would be two dialogs in order to follow the sponsored link. Users simply aren’t going to tolerate that level of annoyance, and would either switch it off or click “OK” without reading it.
SteveJ • May 1, 2007 11:01 AM
I said “Google is additionally exploiting some flaw in Firefox”.
This makes it sound like a deliberate attack: it probably isn’t, just some bug in Firefox or the way I have it configured…
merkelcellcancer • May 1, 2007 11:10 AM
Finjan may be part of the solution for links as a plugin for Firefox and IE.
Finjan SecureBrowsing is a free service that proactively alerts you to potential malicious content hiding behind links of search results, ads and other selected web pages. Finjan SecureBrowsing accesses each of the URLs in its current form on the web, and scans the relevant pages in real time using Finjan’s patented behavior-based technology. Finjan SecureBrowsing then displays a safety rating next to each link it has scanned.
BadBusiness • May 1, 2007 12:24 PM
@Michael
“This was Google’s fault.”
I completely agree.
This has nothing to do with the browser. This has everything to do with the way Google is allowing this particular attack to occur by manipulating their users with how they are presenting and redirecting these ads.
Google need to seriously rethink how ads are used to prevent future attacks.
Christoph Zurnieden • May 1, 2007 3:48 PM
Finjan may be part of the solution for links as a plugin for Firefox and IE.
Well, let’s take a look at http://securebrowsing.finjan.com/about.html
“Q. How Is Finjan SecureBrowsing Unique?
A. Finjan SecureBrowsing is based on patented behavior-based content inspection technology, which is the only solution that proactively detects both known and unknown web threats.”
“patented”, “only solution”, “proactively”, “both known and unknown”? Ok, that might be the result of the PR department. It goes on:
“This unique real-time technology sets SecureBrowsing apart from other products on the market, most of which rely on database updates. ”
“unique real-time technology”? OK, that might be still the rubbish of a PR-department. But the next sentence hit it:
“Finjan SecureBrowsing analyzes and understands the actual intent of the code on each web page”
Congratulations! You just proved Goedels Incompletenes Theorem wrong! Expect the Field Medal in your next mail!
But don’t be too disappointed if it is just a voucher for a room at the doghouse.
CZ
PS:
“Q. How does it work?
A. Finjan SecureBrowsing performs real-time code analysis of the current content on each of the rated web pages.”
Oh, I didn’t see it the first time, you solved the Halting Problem too?
Christoph Zurnieden • May 1, 2007 5:03 PM
@ Anonymous at May 1, 2007 04:26 PM
Learn from history, don’t repeat it!
Would you please explain what you mean by citing that adage?
I prefer simple words and short sentences for I do not speak English natively.
CZ
Anonymous • May 1, 2007 10:34 PM
Sie sind ein Idiot, während Sie Ihr Zitat vergessen.
Paeniteo • May 2, 2007 3:44 AM
@Christoph:
Using modern program analysis techniques, it is possible to achieve “conservative approximations” about a program’s intent.
In other words: If you like, you can detect all malicious code. You will receive false positives, though. The art is to reduce them to a manageable number while still retaining the conservativeness-properties of the approximation.
Trivial approach (as proof-of-concept): Mark any code as malicious.
shimmershade • May 2, 2007 12:42 PM
Google often blocks access to search results when Tor is used by the searcher. Ostensibly the blocking occurs to protect the web sites in search results. Meanwhile, the searcher has been inadequately protected by Google, at least when clicking on ads.
Trade secrets notwithstanding, Google should tell us more about what they’re doing, and not doing.
Christoph Zurnieden • May 2, 2007 4:35 PM
@Paeniteo
Using modern program analysis techniques, it is possible to achieve “conservative approximations” about a program’s intent.
Please define “conservative approximations” .
In other words: If you like, you can detect all malicious code.
No, you can’t, and even …
You will receive false positives, though.
… won’t help you, the set of malicious code is always larger than the set you are able to test.
The art is to reduce them to a manageable number while still retaining the conservativeness-properties of the approximation.
I do not know if a bit of Voodoo helps, but I must admit I never tried
Trivial approach (as proof-of-concept): Mark any code as malicious.
You can’t do that. The set of all machines you can use to “mark” is at most countable infinite, but the set of all code (if you take “code” as another name of “algorithm” of the form f(x)=y with x,y subsetequal \mathbb{N}) is the powerset and thus larger.
But there’s theory and there’s practice and it works in practice for a very small set of malicious code e.g. for virusscanners if you know the malicious code in advance. But what’s about something like that:
decode(password, encodedText){
/* results in malicious code */
return some_innocent_code xor password
}
variable var = “some_innocent_code”
variable pass = “password”
eval(decode(var))
You can’t detect such kind of malicious code with static tests, you have to run it. What do you do? Ban eval()? OK, but it’s something more sophisticated next time, so ban that too?
No, all of that antivirs and similar kinds of anti-malicious-code-software are nothing more than band-aids, necessary if you have not full controll over your software (this includes: binary-only software and restrictions in time and money).
Every COTS-software I stumbled upon had been developed by some more or less sophisticated Trial&Error methods with an EULA which basically says “this software may or may not work, but that’s your problem and no, you can’t get your money back”, so what can one expect?
No, these anti-malicious-code-programs exist because of the crappy software not because of the viruses.
Oh, that’s nice: an example for “conservative approximations” on thedailywtf.com today:
http://worsethanfailure.com/Articles/Poor-Mr-Gookin.aspx
Coincidence?
CZ
Shan • July 13, 2008 2:20 AM
Scheneier
Recently my gmail account and orkut community i’ve been running for years for a famous Indian Film director got hacked.
The community was one among the best and widely accepted indian film community which had more than 45k people in all these years.
I’m using this google account even before joining Microsoft 4.5 years ago.
Do you know someone in google who can talk to me and help out?
As a security men, i tried the regular channels and of no use.
Regards,
Shan
gmail hack • September 30, 2013 4:42 PM
Commonly I really don’t master write-up for weblogs, but I wish to express that that write-up quite pressured us to carry out the idea! The composing preference continues to be surprised me. Cheers, really pleasant content.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Clive Robinson • May 1, 2007 7:43 AM
It would be pointless telling users not to click on such blank links, they still follow known bad ones that do show. So education is not likley to work.
I guess the answer (for a business) is to block access to non-approved sites, however that raises a whole set of other (managment) issues.
I can think of a couple of ways to reduce the problem BUT… they are not going to be “fool proof” and that is the real problem. If you put in place 99.9% reliable systems to protect people they quickly develop a lack of caution so the .1% will cause them (and you) real pain.