Googles doing me wrong again... A while back I complained about google auto-mounting a disk image and then updating software with out letting me know or asking my permission. Well, they've done it again. Yesterday, hardware growler reported that "GoogleVoiceAndVideoSetup_1.0.5.634" was mounted and unmounted. So looks like the GoogleTalk feature of Gmail was updated. Thats a good thing, updates are welcomed. Not asking me first is not. And in this case, I don't even see a preference to disable this feature. So GoogleTalk is phoning home, downloading updates and installing them, all with out a single notification.
What to know some more scary stuff? How about this:
Jan 20 20:36:23 rwhiffen-macbook installer[10817]: Package Authoring Warning: GoogleVoiceandVideo.pkg authorization level is AdminAuthorization but was promoted to RootAuthorization for compatibility, ensure authorization level is sufficient to install.
Jan 20 20:36:23 rwhiffen-macbook installer[10817]: Package Authoring Warning: GoogleVoiceAndVideo.mpkg authorization level is NoAuthorization but was promoted to RootAuthorization for compatibility, ensure authorization level is sufficient to install.
And if you look in /private/tmp you will see that, yes indeed, google did stuff as root:
rwhiffen-macbook:~ rwhiffen$ ls -ld /private/tmp/GoogleVoiceAndVideo.mpkg.10817E8zL7g/
drwxr-xr-x 3 root wheel 102 Jan 20 20:36 /private/tmp/GoogleVoiceAndVideo.mpkg.10817E8zL7g/
rwhiffen-macbook:~ rwhiffen$
So not only is it secretly phoning home, downloading an update, it's doing it as root. Now I explicitly authorized root access upon install. So the update having root ability is by design and I authorized it by typing in my password when I installed the software the first time. But I did not authorize subsequent use of that authorization. It's scary to think what trouble this could lead to. I'm assuming google has some kind of cryptographic controllers to test for legit updates before snagging them, but what if they don't? What if an ISP gets it's DNS hacked and they set up a fake update? It'll run as root with out anyone knowing. I guess I wouldn't have such an issue with it if I had an option to opt-in or opt-out.
So today I'm going to sign up for the google groups and use some "ALL CAPS" language and see if I can get any kind of response. Probably not, but it's worth a try.
No comments:
Post a Comment