RealTime IT News
Google Fixes Desktop Search Flaw
By Jim Wagner
December 21, 2004

Google fixed a flaw in its beta desktop search tool that could have given hackers access to users' local searches, officials said Monday.

The vulnerability, discovered and reported by three members of Rice University's computer science department, proved it was possible for a malware writer to grab information from a Web page containing any desktop searches performed by a user infected with a JavaScript- or applet-based program.

According to the paper "Attacks on Local Searching Tools" by Dan Wallach, Seth Nielson and Seth Fogarty, Google's desktop search program creates a local Web server but only allows the user to get at the data through localhost or connections.

Given Google's Web-centric nature, a desktop search also simultaneously conducts a Web search on Google's site, returning the query and appending it to the desktop search.

The researchers were able to determine that the integration of the desktop and Web searches was conducted by some agent running locally, based on any HTTP request made to the Google Web server. From there, it was a matter of finding a method to prompt a Web search, which would then automatically include the local search.

"While an attacker would not be able to read the victim's files directly, the search results often contain snippets of the file results that will be visible to the attacker."

Those snippets, they state, can contain sensitive information, such as a list of passwords to Web sites.

"Because the Google Desktop application bases its decision to integrate strictly on network traffic, all that is required for an eavesdropper to obtain an integrated Web page is to open a socket on the target computer and send an HTTP request to Google.com, either directly or through any server configured as a Web proxy server," the research paper notes. "This is well within the capabilities of a Java applet, even when running with the restrictive 'sandbox' security model."

To work, the JavaScript or applet must either be downloaded from a Web site containing the malware applet or sent as an e-mail attachment, with the owner subsequently opening the file.

According to a Google spokesperson, the vulnerability was fixed and the company started "pushing" the update to users' computers last week. Like Windows Update, Google Desktop Search users can automatically have updates to their programs downloaded and installed onto their computers.

"We were made aware of this vulnerability with the Google Desktop Search software and have since fixed the problem so that all current and future users are secure," the Google spokesperson said in a statement.

This is the second reported Google Desktop Search flaw since the company released its beta product back in October. A month after the tool was released for general availability, VPN Central and Meta Group analysts reported on a flaw in the program allowing remote users with administrative rights, connected via a virtual private network (VPN ), to index information on any hard drives attached to the machine, such as departmental servers.

Google officials wouldn't say which method they used, but the report indicates the search company went with an internal frame (or IFRAME) approach to remove the vulnerability. The fix involves inserting local searches into an IFRAME separate from the main search results page, giving the local information a different "source" than the Web page.

Google is facing increasing competition from rival software vendors to provide a robust desktop search component. While there have been desktop search tools for some time, the interest of companies like Google, Microsoft , AOL , Ask Jeeves , Amazon and Yahoo in the area of desktop search has created a lot of industry buzz.