[ga] Privacy alert: Google and add-ons cause security concerns
- To: ga@xxxxxxxxxxxxxx
- Subject: [ga] Privacy alert: Google and add-ons cause security concerns
- From: jwkckid1@xxxxxxxxxxxxx
- Date: Fri, 1 Jun 2007 12:48:00 -0500 (GMT-05:00)
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=gbLSh3pgP24M+sBOw42RqgTxopDTsgQ5tmPPvrK1ZPh/74LZYBhWHIoCZWxx1tYr; h=Message-ID:Date:From:Reply-To:To:Subject:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP;
- Reply-to: jwkckid1@xxxxxxxxxxxxx
- Sender: owner-ga@xxxxxxxxxxxxxx
All GA members,
Google is again in the news as being bad for consumers
privacy and security.
"Many makers of extensions or add-ons for Firefox are
introducing ways for bad guys to hijack the Web browser,
new research suggests. A great many add-ons are updated
over insecure (non https://) connections, providing an
avenue for attackers to replace the extension with an evil
update. *Google's add-ons* are particularly vulnerable,
because they update automatically without notifying the user.
>From the story: '[I]f an attacker were to hijack a public
Wi-Fi hot spot at a coffeehouse or bookstore a fairly
trivial attack given the myriad free, point-and-click hacking
tools available today he could also intercept this update
process and replace a Firefox add-on with a malicious one.'"
Here is security researcher Chris Soghoian's description of
the vulnerability and a video, http://www.cs.indiana.edu/~csoghoia/google-mitm.mov of a simulated takeover.
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt
"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of
Information Network Eng. INEG. INC.
ABA member in good standing member ID 01257402 E-Mail jwkckid1@xxxxxxxxxxxxx
Registered Email addr with the USPS Contact Number: 214-244-4827