Title: Google Gears WorkerPool API 'allowCrossOrigin()' Same Origin Policy Violation Vulnerability
Severity: MODERATE
Description:
Google Gears is a browser extension intended to help in the development of web applications. It is available for a number of platforms and browsers.
This issue occurs in the WorkerPool API, which is used to create worker objects within the Gears framework. Gears code may instantiate WorkerPool objects from an external URL through the 'createWorkerFromUrl()' function. These WorkerPool objects may then call the 'allowCrossOrigin()' function to indicate that they allow communication with Gears code from the calling domain.
An attacker may able to inject Gears code onto a third-party site and take advantage of these features to enable communication with an external, malicious domain. An attacker-hosted page may create a WorkerPool object within the context of the victim domain and have that code communicate back to the attacker-hosted page.
Attackers may violate the same-origin policy and obtain sensitive information, including authentication credentials for web applications. Other attacks may also be possible.
Versions prior to Google Gears 0.5.4 are vulnerable.
Affected Products:
- Google Gears 0.5
References:
- Google: Gears API History
- Google: Gears Homepage
- Yair Amit: Breaking Google Gears' Cross-Origin Communication Model
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
