Slashdot Mirror
Flaw in Google's New Desktop Tool [Update: Fixed!]
silassewell writes "A Rice University computer scientist and two of his students have discovered a potentially serious security flaw [Sell your soul to the NYTimes to Read] in the desktop search tool for personal computers that was recently distributed by Google." Update: 12/21 03:15 GMT by T : An anonymous reader writes "It's being reported that the security problem in Google's Desktop Search has been plugged."
You have two components, which act as intended. However, the way they are merged into a product (i.e. the glue code) is flawed. If you want to be more technical, it is the kind of flaw you do not find through unit tests, only through system tests. So going from two components with no security flaws, you have a product with a security flaw. The quote is somewhat melodramatic, but accurate.
Kjella
Live today, because you never know what tomorrow brings
Many will not like this concept, but I am happy to learn, I don't have to uninstall, re-install, and re-index to ensure I have it fixed.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
The article seemed a little vague, but i started investigating this when google desktop first came out.
GDS runs a webserver on your computer which any local application can query, including any java or activex app with outgoing http priviledges.
Google stop this by requiring that some sort of random ID as a key to access the page. This ID is generated as part of the url when you double click on the GDS icon in the taskbar.
It's also embedded into any results page that comes back from google, and you can exploit this by having the java applet first request www.google.com, find the link to GDS, then run a GDS search, then return those results via another web request to a remote host.
But it sounds like it's fixed, so that's good.
Was this flaw enough to gain a passing grade, unlike DJB's students
--Joe
...by their implementation of the exploit. Using Java as an exploit-crafting tool is really quite ingenious. Perhaps we'll see more of this in the future: seeing as Java runs in a sandbox, it would be very difficult to put a viral load on a distributed exploit. .....of course, that just means that it makes life safer for the script kiddies....so perhaps this isn't a good idea after all.
In Xanadu did Kubla Khan
A stately pleasure dome decree
Bruce Schneier has an interesting article about the security aspects of Google desktop search. His take on it is that it reveals underlying security flaws in Windows, so if there's a problem, it's not a problem with Google's utility. Blaming it on Google is like shooting the messenger.
Find free books.
I think it's common sense that if you install a third party tool to index your hard drive, especially one with internet access, you're setting yourself up for disaster. I love Google as much as the next guy, but having a tool that handily stores all of that information is a blatant security risk. Sure MS search is slow (for my Windows boxes), and I'm not even sure if GDS even was released for linux (updatedb | locate something | grep something-more-specific)... but if you're going to index your hard drive, you're taking a risk. I don't see why this would surpise anyone all that much.
- dshaw
I agree - this is definitely one of those utilities that I don't NEEEEEEEED, and am happy to wait a couple of versions before jumping in.
I don't think they would be so stupid to spend their time this way. I as a webmaster would simply check if there are multiple people loggin in on the same account regulary (or even at the same time) and ban those accounts automatically. If you don't want to register, then don't read it. With all those ad blockers websites have to use these tactics to earn a bit of money.