Security hole found in Google desktop search

IDG News Service |  Software

Researchers at Rice University have discovered what they say is a flaw in the beta version of Google Inc.'s Desktop Search product that could allow third parties to access users' search result summaries, providing a sneak peek at part of the content of personal files.

A description of the flaw, which was discovered by Rice computer sciences professor Dan Wallach and two graduate students, was posted on the university's Computer Security Lab Web site late Sunday. The researchers labelled the glitch as "serious" and said it could allow attackers to read snippets of files embedded in Google's normal Web searches by the local search engine.

Google was notified of the flaw and has fixed it in an update that is currently being rolled out through an auto-update feature, the company said Monday.

The Rice researchers said users can check if they have the updated version by selecting the "about" icon in their Google Desktop Search task bar. If it says version number 121004, indicating Dec. 10, 2004, or later, they are safe, the researchers said.

To be affected, a user would have to visit a Web site where an attacker has embedded a particular Java applet. The applet makes certain network connections that trick Google Desktop into integrating a user's local search results with results from an online search. When users visit the compromised site, the applet reads their local search result summaries and sends them back to the attacker's server, they said.

Summaries from Google Desktop searches often contain snippets of content from personal files, and it is this content that the attacker is able to read, the researchers said.

Users on wireless networks can be attacked even if they are not visiting a compromised site, if the attacker tampers with the network connections being made by the user's Web browser, the researchers said. By doing this, the attack could be injected into any other Web page, they said.

Google released a beta version of its desktop search product in October, allowing users to search PC files, local e-mail messages, and archived chat sessions. It joined an industry stampede into the local search space, with America Online Inc. (AOL), Yahoo Inc. and Microsoft Corp. all driving their searches onto the desktop.

Other desktop search products are not believed to have the flaw, however, since Google's is the only one which seamlessly integrates local search results with those of online searches, the researchers said.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question