Slashdot Mirror


Flaw in Google's New Desktop Tool [Update: Fixed!]

silassewell writes "A Rice University computer scientist and two of his students have discovered a potentially serious security flaw [Sell your soul to the NYTimes to Read] in the desktop search tool for personal computers that was recently distributed by Google." Update: 12/21 03:15 GMT by T : An anonymous reader writes "It's being reported that the security problem in Google's Desktop Search has been plugged."

2 of 266 comments (clear)

  1. It is a dumbed-down explaination... by Kjella · · Score: 4, Interesting

    You have two components, which act as intended. However, the way they are merged into a product (i.e. the glue code) is flawed. If you want to be more technical, it is the kind of flaw you do not find through unit tests, only through system tests. So going from two components with no security flaws, you have a product with a security flaw. The quote is somewhat melodramatic, but accurate.

    Kjella

    --
    Live today, because you never know what tomorrow brings
  2. How it's probably done by grahamsz · · Score: 4, Interesting

    The article seemed a little vague, but i started investigating this when google desktop first came out.

    GDS runs a webserver on your computer which any local application can query, including any java or activex app with outgoing http priviledges.

    Google stop this by requiring that some sort of random ID as a key to access the page. This ID is generated as part of the url when you double click on the GDS icon in the taskbar.

    It's also embedded into any results page that comes back from google, and you can exploit this by having the java applet first request www.google.com, find the link to GDS, then run a GDS search, then return those results via another web request to a remote host.

    But it sounds like it's fixed, so that's good.