Slashdot Mirror
Flaw in Google's New Desktop Tool [Update: Fixed!]
silassewell writes "A Rice University computer scientist and two of his students have discovered a potentially serious security flaw [Sell your soul to the NYTimes to Read] in the desktop search tool for personal computers that was recently distributed by Google." Update: 12/21 03:15 GMT by T : An anonymous reader writes "It's being reported that the security problem in Google's Desktop Search has been plugged."
Or, you could simply use Bug Me Not. It even has a firefox plugin.
The whole Sell your soul to the NYTimes to Read is getting old... actually it was old a year ago, and now its simply ridiculous.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
You can all, soon, download M$'s search tool - and we all know this will invade your privacy --- on purpose that is... :D
Programs like these (i.e. Gator password program) are the reason why I am a minimalist. I keep on my computer exactly what I need (pr0n included) and nothing else. Anything that potentially interfaces w/the web is a no-no with me (I use zone alarm, so I can see any program trying to access the net).
I mod down so you can mod up. Your welcome.
BugMeNot
Both IE and Firefox extensions available. This copy/paste might be useful if you formatted it instead of karma whoring for first post points.
Life is the leading cause of death in America.
The Rice group was able to create a Java program that makes network connections back to the computer from where it was downloaded and then make it appear as if it were asking for a search at Google.com. That was enough to fool the Google desktop software into providing the user's search information. The program was able to do anything with the results, including transmitting them back to the attacking site.
So let me get this straight, after successfully fooling a user that the site they are seeing is legit when it's actually spoofed, then they can get the results of local search queries, potentially seeing parts of a file. Don't get me wrong, that kind of stinks and all, but if you have already fooled someone into believing the sites they are looking at are legit, why bother with this? Show them a gmail login, or a yahoo mail login, or if you know a bit about them, their internet banking login.
This security flaw doesn't seem like that big of a deal and if anything, it highlights that Google is being proactive about such things; addressing the issue and releasing fixed software in a reasonable amount of time. Kudos.
Admittedly the NYT article is extremely light on details (and those details don't show up until the end of the article), but from what it sounds like, the Google search tool sends a brief chunk of each search result, whether of local or network origin, to Google, so Google can display some ads.
These guys tricked the google search tool into sending that information somewhere else.
So, we have a "composition flaw", between two components; Google's search tool, and... uh... a Java attack script. Hmm...
The "flaw" here is that Google's search tool sends personal information to an external host, plain and simple. If I don't want a third party attacker seeing arbitrary parts of my hard drive's contents, I probably don't want Google seeing them either.
Actually, the flaw is that we have one domain: public http pages, mixed with a second domain: private user data. The security model for the first domain generally allows web pages to access their own content. It is assumed that the site the page originated from is supposed to be able to get it's hands on what it sent, including sending it back. Thus when we mix in the second domain: static information from the user's local files that should not be part of active content, a security vulnerabilty is created. This is all said much better in our report, of course... this is me rambling on Slashdot, the other is a thoughtful discussion of the material.
No need for "" around the scandal: Its an app than is supposed to index all private information on a local pc (Email/documents/ect). It has to to be usefull.
I dont want such a critical program auto-updating without even giving the user a notice that he isnt running the same software version anymore.
Alone the fact that a new version can be downloaded and automatically executed SCREAMS security issue. One spoof/hack and we have a ton of google desktop zombies waiting for commands....
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
This actually has nothing to do with windows in the least. It is a combination of Google's security model and the Java applet security model.
You're right. I already hear too much, " but it worked fine yesterday and I haven't done anything to my computer." I don't need updates happening behind my back to make things even worse.
You know, she's probably already found it.
I know a few people who think their porn is hidden on their computer, but those who live with them say otherwise.
Just think of all of the recent file lists and last used directories in your media players or image viewers, system logs with errors for codecs and paths to the problem files, browser history autocomplete and cookie names, disks with "missing" space or restricted directories, and the good old file search for mpg, avi, wmv, etc.
You're probably not the only computer-savvy person she knows (if she's not one herself), so just assume she's already seen your stash.
correction again: maybe we should then interpret "or above" as the next date above 12-10-04. I think a versioning system that uses year-month-day would be easier to interpret than the month-day-year being used :-)
"When the only tool you own is a hammer, every problem begins to resemble a nail." - Abraham Maslow (1908-1970)
Not to mention that it's a good habit to get into because it can be sorted lexicographically. (Think ls putting your dated backup tarballs in the correct order, for example).
So the RIAA or whatever would be given a small fine of around $100,000 and would sue the person even though there's no hard evidence. The lawsuit would cost quite a bit of money to the defendant, and, even if the RIAA couldn't win, the defendant wouldn't be able to afford to keep going.
Two things are infinite: the universe and human stupidity, though I'm not yet sure about the universe. - A Einstein
It amazes me how much information people are willing to give out for free in exchange of a little convenience.
1) NYT doesn't spam you and doesn't sell your address. Confirmed repeatedly.
2) Most people here should already have a registration with NYT and a cookie, so they don't need to worry. NYT writes enough good stories that it's worth the trouble (which I had in about 1997).
Future Wiki -- If you don't think about the future, you cannot have one.