On Sep 9, 1:33 pm, Peter da Silva <[EMAIL PROTECTED]> wrote:
> When I went to install Google Chrome, as soon as I clicked on the
> download button in Firefox the Google Update engine started
> downloading Google Chrome.
Then you had the GoogleOneClick plugin installed before. Maybe through
Google Gears. The culprit is called npgoogleoneclick5.dll for Firefox
and other browsers, except Internet Explorer which gets some nasty
ActiveX component instead [1][2][3][4][5][6].
> Examining the source code for the page, it
> looks like Google could have kicked off the download without clicking
> ANYTHING on the page, using "_GU_*()" calls.
The _GU_*() calls are not that important. These are just JavaScript
functions which wrap up the whole process and create the necessary
query parameters. The plugin API (maybe just a subset) is shown here:
--snip--
window.google.update.oneclick = {
getOneClickVersion: function() {
try {
return
window.google.update.oneclickPlugin_.GetOneClickVersion()
} catch(f) {
return -1
}
},
install: function(f,h,j,i,k) {
var l="http://tools.google.com";;
l+="/service/update2/installping";
var o=GU_buildGlobalExtra(h,j),p='"'+GU_BuildTag(f,o)+'"';
for (a=0; a<f.length; ++a) {
var m=l;
m+="?appid="+encodeURIComponent(f[a].c);
m+="&lang="+encodeURIComponent(h);
m+="&iid="+encodeURIComponent(_GU_getIid());
m+="&installsource=oneclick";
var q=new Image;
q.src=m
}
var r="/install "+p;
try {
window.google.update.oneclickPlugin_.Install(r,i,k)
} catch(s) {
var n = s.g;
n||(n = -2);
k(n)
}
}
}
--/snip--
The two plugin functions are GetOneClickVersion() and Install(r,i,k).
The first call returns the version number ("5"), the second one
triggers the automatic install process. The parameter r locates the
program that will be installed, i and k seem to be callback functions
- i in case of success and k as fallback in case of an error [7][8].
> This means that the security of the Google Update service is pretty
> important
I think we have to separate a bit the Google Update background task
that I've mentioned from this plugin. But yes, definitely you're right
about the security. It's important in both cases.
The plugin needs internal security checks to prevent evil sites from
abusing it. Since there is no source code for the plugin we have a
black box situation - security through obscurity. Same as for the
Google Updater attached to Chrome for his update checks.
> I've sent mail to Google asking for some information about the
> security model used by Google Update
Hopefully you get some illuminating feedback beyond "we aren't evil"
*eg*
> and I'm going to hold off on checking out Chrome until this is resolved
I don't trust Chrome as long as it's bundled with closed source
components and silently installs some backdoor services like the
Google Updater (which tags you and your box) and plugins (which allow
Google and others? to automatically install software). Maybe I'll
check out Chromium or a fork, when it hits a stable Linux version.
References:
[1]
http://groups.google.com/group/lively-help-how-do-i/browse_thread/thread/2aa4acb579e29b54/faec2a3bb444e64d#msg_faec2a3bb444e64d
[2] http://tech.slashdot.org/comments.pl?sid=952157&cid=24859505
[3]
http://translate.google.com/translate?tl=en&sl=fr&u=http://www.korben.info/google-chrome-et-son-spyware.html
[4]
http://translate.google.com/translate?sl=fr&tl=en&u=http://flyingoverclouds.spaces.live.com/blog/cns!13F8EFC2E48DC1B3!519.entry
[5]
http://translate.google.com/translate?u=http%3A%2F%2Fosnews.pl%2Fgoogle-chrome-instaluje-w-systemie-backdoora%2F&sl=pl&tl=en
[6]
http://translate.google.com/translate?sl=pl&tl=en&u=http://my.opera.com/dodd/blog/google-chrome-instaluje-backdoor-a
[7] http://paste-bin.com/view/57ab54c3
[8] http://paste-bin.com/view/30dd8f4b
Some more information:
[8] https://bugzilla.mozilla.org/show_bug.cgi?id=453869
[9] http://code.google.com/p/chromium/issues/detail?id=1585
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Chromium-discuss" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/chromium-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
