Slashdot Mirror
Flaw in Google's New Desktop Tool [Update: Fixed!]
silassewell writes "A Rice University computer scientist and two of his students have discovered a potentially serious security flaw [Sell your soul to the NYTimes to Read] in the desktop search tool for personal computers that was recently distributed by Google." Update: 12/21 03:15 GMT by T : An anonymous reader writes "It's being reported that the security problem in Google's Desktop Search has been plugged."
Here's a reg free link for those of us who have already sold our souls for other devious purposes ;)
Here is the no-subscriber link via Google News, for all that self-referential goodness...
At least they don't bury the bad news...
"When you put them together, out jumps a security flaw." What is this, magic?
Your website goes here
Google deploys their search tool
All is exploited
Tech, life, family, faith: Give me a visit
http://news.com.com/Google+Weve+fixed+desktop+sear ch+tool+flaw/2100-1002_3-5497885.html?tag=nefd.top
You can all, soon, download M$'s search tool - and we all know this will invade your privacy --- on purpose that is... :D
Programs like these (i.e. Gator password program) are the reason why I am a minimalist. I keep on my computer exactly what I need (pr0n included) and nothing else. Anything that potentially interfaces w/the web is a no-no with me (I use zone alarm, so I can see any program trying to access the net).
I mod down so you can mod up. Your welcome.
BugMeNot
Both IE and Firefox extensions available. This copy/paste might be useful if you formatted it instead of karma whoring for first post points.
Life is the leading cause of death in America.
You have two components, which act as intended. However, the way they are merged into a product (i.e. the glue code) is flawed. If you want to be more technical, it is the kind of flaw you do not find through unit tests, only through system tests. So going from two components with no security flaws, you have a product with a security flaw. The quote is somewhat melodramatic, but accurate.
Kjella
Live today, because you never know what tomorrow brings
Many will not like this concept, but I am happy to learn, I don't have to uninstall, re-install, and re-index to ensure I have it fixed.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Google has already fixed the problem, and if you are using GDS, you should have the updated version since GDS updates automatically without user intervention. If you neeed to check, your version number should be 121,004 (or above). I verified from my firewall that my version was updated yesterday. (Apparently Google has been rolling out the updates since December 10)
"When the only tool you own is a hammer, every problem begins to resemble a nail." - Abraham Maslow (1908-1970)
From the researchers themselves, rather than the NYT's garbled take on it.
The article seemed a little vague, but i started investigating this when google desktop first came out.
GDS runs a webserver on your computer which any local application can query, including any java or activex app with outgoing http priviledges.
Google stop this by requiring that some sort of random ID as a key to access the page. This ID is generated as part of the url when you double click on the GDS icon in the taskbar.
It's also embedded into any results page that comes back from google, and you can exploit this by having the java applet first request www.google.com, find the link to GDS, then run a GDS search, then return those results via another web request to a remote host.
But it sounds like it's fixed, so that's good.
Was this flaw enough to gain a passing grade, unlike DJB's students
--Joe
"An attack would require a user to visit the attacker's Web site first, and any type of Web browser could make a user vulnerable."
;-)
It seems like most non-email Internet attacks require you to visit an attacker's website before the payload can be delivered (there are some good articles about this at ISC). I would tend to think that unpatched browsers (<cough>IE<cough>) would still cause more problems that this.
Don't misunderstand me, though; I am not trying to excuse Google from the flaw, but the good news is that it's already fixed, and I'm sure the scum of the Internet are going to focus on these other (exciting, money-making) opportunities.
PS. I know Seth Fogarty, does that give me some sort of karma bonus
...by their implementation of the exploit. Using Java as an exploit-crafting tool is really quite ingenious. Perhaps we'll see more of this in the future: seeing as Java runs in a sandbox, it would be very difficult to put a viral load on a distributed exploit. .....of course, that just means that it makes life safer for the script kiddies....so perhaps this isn't a good idea after all.
In Xanadu did Kubla Khan
A stately pleasure dome decree
Not only did you get a -1 redundant, but you also got it on a 1st Post!
This elusive prize is given by sharp moderators who rate your posts on the basis of what future posts might contain!
Do break your paragraphs next time.
If you don't know what AltaVista is (was), get off my lawn.
The Rice group was able to create a Java program that makes network connections back to the computer from where it was downloaded and then make it appear as if it were asking for a search at Google.com. That was enough to fool the Google desktop software into providing the user's search information. The program was able to do anything with the results, including transmitting them back to the attacking site.
So let me get this straight, after successfully fooling a user that the site they are seeing is legit when it's actually spoofed, then they can get the results of local search queries, potentially seeing parts of a file. Don't get me wrong, that kind of stinks and all, but if you have already fooled someone into believing the sites they are looking at are legit, why bother with this? Show them a gmail login, or a yahoo mail login, or if you know a bit about them, their internet banking login.
This security flaw doesn't seem like that big of a deal and if anything, it highlights that Google is being proactive about such things; addressing the issue and releasing fixed software in a reasonable amount of time. Kudos.
Admittedly the NYT article is extremely light on details (and those details don't show up until the end of the article), but from what it sounds like, the Google search tool sends a brief chunk of each search result, whether of local or network origin, to Google, so Google can display some ads.
These guys tricked the google search tool into sending that information somewhere else.
So, we have a "composition flaw", between two components; Google's search tool, and... uh... a Java attack script. Hmm...
The "flaw" here is that Google's search tool sends personal information to an external host, plain and simple. If I don't want a third party attacker seeing arbitrary parts of my hard drive's contents, I probably don't want Google seeing them either.
A web page on the attack is http://seclab.cs.rice.edu/ which also links to a technical report.
The way it works is actually pretty simple. What happens normally is that the toolbar watches your outgoing and incoming web connections. When you make a Google query, it detects that and does a local search of its index of your disk. When the results come back from Google, it mixes in the results from the web with the results from your disk. This design is to protect your privacy.
The attack is for a malicious site to download a Java applet to your system. This applet does a Google query (via the malicious site as a proxy, to defeat applet sandboxing), and then reads the results which come back. When the results get back to the applet they have gone through the Google toolbar and gotten the local disk results integrated. The applet then sends the data to the malicious site, and presto, it knows a lot about the contents of your disk.
Then again, I'm sure someone will find an exploit in Calculator or Freecell given time.
--- Ban humanity.
you had me worried for a sec. I thought there might have been a secret button that pops up that says, "find your husband's porn".
from the NYT article:
...The researchers said that Google had responded quickly to their alert last month and had begun releasing a corrected version of the program on Dec. 10....
BTW, CNET reported this last night.
[obligatory jab at microsoft,typical at this point in a comment, is being left as an exercise for the readers....]
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
Stop the press! Bug in beta app! "Oh no!" Waves hands in the air, and runs around in circles. "Who will save us now? Who will save us?!!"
Get your own free personal location tracker
This is unnecessary. You can disable the integration option, which is a minor feature anyway. Check our webpage
Bruce Schneier has an interesting article about the security aspects of Google desktop search. His take on it is that it reveals underlying security flaws in Windows, so if there's a problem, it's not a problem with Google's utility. Blaming it on Google is like shooting the messenger.
Find free books.
This actually has nothing to do with windows in the least. It is a combination of Google's security model and the Java applet security model.
Here is how the attack works.
This is based on Wired's much more clear and coherent description.
Desktop search installs an object that the browser instantiates on Google web pages to render local results along side of google results. No data is sent in this process.
The attack involves the fact that this data is present on the web page itself, and is added to the DOM. An attacker using JavaScript can traverse the DOM and read the exerpts of files shown on the search page.
It cannot follow this to the document itself in the cache, and it can see nothing other than the quoted excerpt.
It's beta software, bound to be problems. This particular problem is because the object isn't "locked to the page."
The vulnerability doesn't effect any other desktop search tool that is currently available, because none of them use an object in the browser to integrate search results with their web page. All the other tools are either search your desktop or search the web, not search both at once.
Using FireFox, without the object, you won't get the integrated search results, so you won't have the problem.
If your code is acting bloated, and is running rather slow, it's likely and predicted that some loops you will unroll.
See our for more information, but iirc they embeded the local search results in an iframe, which separates the security concerns so that the java applet and javascript security models prevent us from accessing local information.
Check out our webpage . The tone of the article is not Dan's doing. He has been more than generous with the credit, and was involved with our project and of invaluable assistance the entire time.
You're right. I already hear too much, " but it worked fine yesterday and I haven't done anything to my computer." I don't need updates happening behind my back to make things even worse.
I think it's common sense that if you install a third party tool to index your hard drive, especially one with internet access, you're setting yourself up for disaster. I love Google as much as the next guy, but having a tool that handily stores all of that information is a blatant security risk. Sure MS search is slow (for my Windows boxes), and I'm not even sure if GDS even was released for linux (updatedb | locate something | grep something-more-specific)... but if you're going to index your hard drive, you're taking a risk. I don't see why this would surpise anyone all that much.
- dshaw
You know, she's probably already found it.
I know a few people who think their porn is hidden on their computer, but those who live with them say otherwise.
Just think of all of the recent file lists and last used directories in your media players or image viewers, system logs with errors for codecs and paths to the problem files, browser history autocomplete and cookie names, disks with "missing" space or restricted directories, and the good old file search for mpg, avi, wmv, etc.
You're probably not the only computer-savvy person she knows (if she's not one herself), so just assume she's already seen your stash.
I agree - this is definitely one of those utilities that I don't NEEEEEEEED, and am happy to wait a couple of versions before jumping in.
Here's Rice's security lab post about the flaw: clicky
So the RIAA or whatever would be given a small fine of around $100,000 and would sue the person even though there's no hard evidence. The lawsuit would cost quite a bit of money to the defendant, and, even if the RIAA couldn't win, the defendant wouldn't be able to afford to keep going.
Two things are infinite: the universe and human stupidity, though I'm not yet sure about the universe. - A Einstein
It amazes me how much information people are willing to give out for free in exchange of a little convenience.
Damn it. Now everyone (who reads several levels down in /. ) knows...