Quantcast
Subscribe to magazine

New Flaw Found in Google Desktop Search

Hole could allow remote attackers to access your local search results.

Scarlet Pruitt, IDG News Service

  • 0 Yes
  • 0 No

Researchers at Rice University have discovered what they say is a flaw in the beta version of Google's Desktop Search product that could allow third parties to access users' search result summaries, providing a sneak peek at part of the content of personal files.

A description of the flaw, which was discovered by Rice computer sciences professor Dan Wallach and two graduate students, was posted on the university's Computer Security Lab Web site late Sunday. The researchers labeled the glitch as "serious" and said it could allow attackers to read snippets of files embedded in Google's normal Web searches by the local search engine.

Google was notified of the flaw and has fixed it in an update that is currently being rolled out through an auto-update feature, the company says.

The Rice researchers say users can check if they have the updated version by selecting the "about" icon in their Google Desktop Search task bar. If it says version number 121004, indicating December 10, 2004, or later, they are safe, the researchers say.

How It Works

To be affected, a user would have to visit a Web site where an attacker has embedded a particular Java applet. The applet makes certain network connections that trick Google Desktop into integrating a user's local search results with results from an online search. When users visit the compromised site, the applet reads their local search result summaries and sends them back to the attacker's server, they says.

Summaries from Google Desktop searches often contain snippets of content from personal files, and it is this content that the attacker is able to read, the researchers say.

Users on wireless networks can be attacked even if they are not visiting a compromised site, if the attacker tampers with the network connections being made by the user's Web browser, the researchers say. By doing this, the attack could be injected into any other Web page, they say.

Google released a beta version of its desktop search product in October, allowing users to search PC files, local e-mail messages, and archived chat sessions. It joined an industry stampede into the local search space, with America Online, Yahoo, and Microsoft all driving their searches onto the desktop.

Other desktop search products are not believed to have the flaw, however, since Google's is the only one which seamlessly integrates local search results with those of online searches, the researchers say.

  • Recommend this story?
  • 0 Yes
    0 No

Print 65% more pages than with refilled inks. Trust Original HP Inks. Hit Print Reliably.

Featured APC Accessories For Your System
10% Off Entire Cart at Online Store

  • APC Back-UPS ES Safeguards your equipment from damaging surges and spikes that travel along your utility & data lines.
  • APC SurgeArrest Performance Highest level of protection for your professional computers, electronics and connected devices, as well as provides surge protection.

People who read this also read:

  • 2007 Microsoft Office Suites Comparison This paper compares and contrasts four suites of the 2007 Microsoft Office system: Microsoft Office Standard 2007, Microsoft Office Professional Plus 2007, Microsoft Office Enterprise 2007 and Microsoft Office Ultimate 2007. This paper is intended to help organizations understand the applications and capabilities offered, and to identify the suite that best fits their needs.
  • Windows Vista Migration: The Business Proposition It's not so much a matter of "if" but "when" for most organizations regarding migration to Windows Vista. Laying the groundwork now for this migration can yield higher ROI than waiting until later. This Computerworld Technology Briefing explains it all.

PC World's Marketplace