Friday, September 28, 2007

Google Protection

With all the cross-site scripting bugs in Google, I'm surprised our blog (hosted by Google's Blogspot) hasn't been defaced yet.

One way to protect against this is to open separate instances of Firefox, one for Google, and one without Google. This allows you to have GMail up on a separate windows on your desktop, but without the danger of XSS bugs crossing over and hijacking the GMail session.

In order for this, you need to take advantage of Firefox profiles. You need to create two scripts, one that launches the existing "default" profile, and one that launches a "gmail" profile. The following is the script for Windows that launches the "default" profile, just change "default" to "gmail" for the second script.

You need to now launch Firefox using these scripts, because launching it normally will just use whichever of the two profiles you used last.

<?xml version="1.0"?>
<job id="Firefox:GMail:Loader">
<?job debug="true"?>
<script language="javascript">
var shell = WScript.CreateObject("WScript.Shell");
var env = shell.Environment("User");
var installpath = shell.RegRead("HKLM\\SOFTWARE\\Clients\\StartMenuInternet\\FIREFOX.EXE\\shell\\open\\command\\");
env("MOZ_NO_REMOTE") = 1;
shell.Exec(installpath + ' -P "default"');
env("MOZ_NO_REMOTE") = 0;


kurt wismer said...

so you would have us simply use a second browser session for gmail and related services?

what happens when i encounter a compromised page while using google reader? or igoogle? or google groups? or a shared google calendar? or - you get the idea...

most of google's services are platforms for accessing or sharing content, much of which can have links to potentially compromised pages - cutting off google services from the rest of your browsing doesn't seem very realistic...

Didier Stevens said...

I developed a small Firefox extension (WhoAmI?) to display the name of the current profile on the statusbar.