Flaw in Google's New Desktop Tool [Update: Fixed!]

silassewell writes "A Rice University computer scientist and two of his students have discovered a potentially serious security flaw [Sell your soul to the NYTimes to Read] in the desktop search tool for personal computers that was recently distributed by Google." Update: 12/21 03:15 GMT by T : An anonymous reader writes "It's being reported that the security problem in Google's Desktop Search has been plugged."

No Reg Required...

Here's a reg free link for those of us who have already sold our souls for other devious purposes ;)

Re:No Reg Required...

Isn't it aweful when you try to sell your soul, and then Satan gets back to you a little later, talking about a pre-existing lein? The look on His face, the patronizing way He talks down to you... I can't stand it. It's so embarrassing.

Google Link (of course!)

[pegr]

Here is the no-subscriber link via Google News, for all that self-referential goodness...

At least they don't bury the bad news...

Re:Google Link (of course!)

[FortKnox]

Or, you could simply use Bug Me Not. It even has a firefox plugin.

The whole Sell your soul to the NYTimes to Read is getting old... actually it was old a year ago, and now its simply ridiculous.

Re:Google Link (of course!)

[Martin+Blank]

NYT (and many others) now scour BugMeNot to kill those accounts that are posted. I suspect they do it by script a couple of times a week, as the logins don't seem to work for me after a day or two.

what the heck

[mako1138]

"When you put them together, out jumps a security flaw." What is this, magic?

Re:what the heck

[evilmousse]

nooo.. it's a fairly common way to find security holes. you can identify every input and every state a program can enter, test all that to be solid, and it can still yield security flaws when working together with another peice of software. This happens most especially on the web, where multiple technologies plug into each other, and unless the sandboxing is extremely solid, a combination of programs noone considered can easily have dastardly results. i think the usefulness of a desktop search tool to any bug looking for targets to infect is pretty obvious. The settings files for the programs are easily mined for info too, if they're not already stored in that abhorrent windows registry.

Re:what the heck

[shotfeel]

Its like MS Windows and a PC.

Windows, just sitting there on the CD isn't a secutity problem.

The PC, sitting there without an operating system isn't a secutity problem.

Put the two together -Microsoft magic!

Haiku of the Google Ad

[Swamii]

Your website goes here
Google deploys their search tool
All is exploited

It's already been fixed

http://news.com.com/Google+Weve+fixed+desktop+sear ch+tool+flaw/2100-1002_3-5497885.html?tag=nefd.top

Re:It's already been fixed

[WIAKywbfatw]

So this story is a case of "All your BS are belong to us"?

don't worry

[AviLazar]

You can all, soon, download M$'s search tool - and we all know this will invade your privacy --- on purpose that is... :D

Programs like these (i.e. Gator password program) are the reason why I am a minimalist. I keep on my computer exactly what I need (pr0n included) and nothing else. Anything that potentially interfaces w/the web is a no-no with me (I use zone alarm, so I can see any program trying to access the net).

Re:don't worry

[atlasheavy]

The MSN Desktop Search tool is already available, and a hell of a lot better than google's desktop search. You can download it from http://beta.toolbar.msn.com/.

Your definition of minimalism is probably different than a lot of other people's. Keep that in mind. I can't function unless I have at least a compiler, if not a full-blown IDE on the computer I'm using. Same thing goes for Photoshop and me.

You may not have either, and may disregard the need for me or anyone else to have these. Just remember, everyone's different. Because you don't find something useful doesn't mean someone else won't.

Re:don't worry

[doublem]

Kudos to you for admitting your need for p0rn.

Far too many people let shame take away their abilty to admit they like the stuff.

Re:don't worry

[Fallen_Knight]

Shame!?

If i start telling people about my multi terabyte porn collection they start asking me to send it to them!!

wait... umm I don't have any porn.. nothing to see here...

It is a dumbed-down explaination...

[Kjella]

You have two components, which act as intended. However, the way they are merged into a product (i.e. the glue code) is flawed. If you want to be more technical, it is the kind of flaw you do not find through unit tests, only through system tests. So going from two components with no security flaws, you have a product with a security flaw. The quote is somewhat melodramatic, but accurate.

Kjella

Re:It is a dumbed-down explaination...

[sfogarty]

Actually, the flaw is that we have one domain: public http pages, mixed with a second domain: private user data. The security model for the first domain generally allows web pages to access their own content. It is assumed that the site the page originated from is supposed to be able to get it's hands on what it sent, including sending it back. Thus when we mix in the second domain: static information from the user's local files that should not be part of active content, a security vulnerabilty is created. This is all said much better in our report, of course... this is me rambling on Slashdot, the other is a thoughtful discussion of the material.

Fix for the flaw

[alphakappa]

Google has already fixed the problem, and if you are using GDS, you should have the updated version since GDS updates automatically without user intervention. If you neeed to check, your version number should be 121,004 (or above). I verified from my firewall that my version was updated yesterday. (Apparently Google has been rolling out the updates since December 10)

Re:Fix for the flaw

[Otter]

...since GDS updates automatically without user intervention.

Next Google "scandal": GDS updates automatically without user intervention!!!

Re:Fix for the flaw

[jeblucas]

your version number should be 121,004 (or above)

I'm going to go out on a limb and guess that Google's version number there is 121004, not because they want it read as "one hundred twenty-one thousand and four", but rather as "December 10th, 2004". Don't panic if it rolls back to 011605 next month.

Re:Fix for the flaw

[imsabbel]

No need for "" around the scandal: Its an app than is supposed to index all private information on a local pc (Email/documents/ect). It has to to be usefull.
I dont want such a critical program auto-updating without even giving the user a notice that he isnt running the same software version anymore.
Alone the fact that a new version can be downloaded and automatically executed SCREAMS security issue. One spoof/hack and we have a ton of google desktop zombies waiting for commands....

Better link

From the researchers themselves, rather than the NYT's garbled take on it.

How it's probably done

[grahamsz]

The article seemed a little vague, but i started investigating this when google desktop first came out.

GDS runs a webserver on your computer which any local application can query, including any java or activex app with outgoing http priviledges.

Google stop this by requiring that some sort of random ID as a key to access the page. This ID is generated as part of the url when you double click on the GDS icon in the taskbar.

It's also embedded into any results page that comes back from google, and you can exploit this by having the java applet first request www.google.com, find the link to GDS, then run a GDS search, then return those results via another web request to a remote host.

But it sounds like it's fixed, so that's good.

Re:How it's probably done

[sfogarty]

Not quite. Again, I recomend checking the webpage , but since I know most of you won't (I wouldn't)... Go install google desktop. Go to google.com. Do a search. Notice it says 'local results found:' and includes small snippets of the local results. We can get those snippets for arbitrary searches by making our own requests to Google. The local data is integrated after the reponse comes back from Google, but before we get it. The only tricky bit is making the requests to google.com through an applet, since the applet is not allowed to connect to google.com, only the originating host. Luckily we can run a web proxy on our originating host and still get the integration results. We don't even have to return the right google.com search result... we can just replay an old page.

Did the students pass the class?

[jpvlsmv]

Was this flaw enough to gain a passing grade, unlike DJB's students

--Joe

Congratulations!

[Tibor+the+Hun]

Not only did you get a -1 redundant, but you also got it on a 1st Post!
This elusive prize is given by sharp moderators who rate your posts on the basis of what future posts might contain!

Do break your paragraphs next time.

Big Deal

[crowemojo]

The Rice group was able to create a Java program that makes network connections back to the computer from where it was downloaded and then make it appear as if it were asking for a search at Google.com. That was enough to fool the Google desktop software into providing the user's search information. The program was able to do anything with the results, including transmitting them back to the attacking site.

So let me get this straight, after successfully fooling a user that the site they are seeing is legit when it's actually spoofed, then they can get the results of local search queries, potentially seeing parts of a file. Don't get me wrong, that kind of stinks and all, but if you have already fooled someone into believing the sites they are looking at are legit, why bother with this? Show them a gmail login, or a yahoo mail login, or if you know a bit about them, their internet banking login.

This security flaw doesn't seem like that big of a deal and if anything, it highlights that Google is being proactive about such things; addressing the issue and releasing fixed software in a reasonable amount of time. Kudos.

No, it is a dumb explaination...

[Digital_Quartz]

Admittedly the NYT article is extremely light on details (and those details don't show up until the end of the article), but from what it sounds like, the Google search tool sends a brief chunk of each search result, whether of local or network origin, to Google, so Google can display some ads.

These guys tricked the google search tool into sending that information somewhere else.

So, we have a "composition flaw", between two components; Google's search tool, and... uh... a Java attack script. Hmm...

The "flaw" here is that Google's search tool sends personal information to an external host, plain and simple. If I don't want a third party attacker seeing arbitrary parts of my hard drive's contents, I probably don't want Google seeing them either.

Re:No, it is a dumb explaination...

[SiliconEntity]

Admittedly the NYT article is extremely light on details (and those details don't show up until the end of the article), but from what it sounds like, the Google search tool sends a brief chunk of each search result, whether of local or network origin, to Google, so Google can display some ads.

It does sound like that, but that would be a terrible design, wouldn't it? It would mean your private search data is being sent to Google! And Google swore up and down that they wouldn't do this.

Actually, your private results are not sent to Google; rather, when the data comes back from Google, the toolbar mixes your private results into the web search results and passes that on to the browser. The problem is that it may not be the user directing the browser to do the request. It could be a Java applet, or maybe (with some help) some Javascript on a malicious web page. Then the nasty code sees the results and it can send them off to where they shouldn't go.

How it works

[SiliconEntity]

A web page on the attack is http://seclab.cs.rice.edu/ which also links to a technical report.

The way it works is actually pretty simple. What happens normally is that the toolbar watches your outgoing and incoming web connections. When you make a Google query, it detects that and does a local search of its index of your disk. When the results come back from Google, it mixes in the results from the web with the results from your disk. This design is to protect your privacy.

The attack is for a malicious site to download a Java applet to your system. This applet does a Google query (via the malicious site as a proxy, to defeat applet sandboxing), and then reads the results which come back. When the results get back to the applet they have gone through the Google toolbar and gotten the local disk results integrated. The applet then sends the data to the malicious site, and presto, it knows a lot about the contents of your disk.

Intruder Alert. Kill the humanoid.

[HarveyBirdman]

Maybe they need to start making a list of software WITHOUT security flaws. It would save space.

Then again, I'm sure someone will find an exploit in Calculator or Freecell given time.

Re:Intruder Alert. Kill the humanoid.

[mzwaterski]

I followed your steps, but it didn't work...I got 12

false alarm

[kevinx]

you had me worried for a sec. I thought there might have been a secret button that pops up that says, "find your husband's porn".

Stop the press!

[caluml]

Stop the press! Bug in beta app! "Oh no!" Waves hands in the air, and runs around in circles. "Who will save us now? Who will save us?!!"

Re:No update here!?

[sfogarty]

This is unnecessary. You can disable the integration option, which is a minor feature anyway. Check our webpage

Since I don't see a clear explanation

[dbacher]

Here is how the attack works.

This is based on Wired's much more clear and coherent description.

Desktop search installs an object that the browser instantiates on Google web pages to render local results along side of google results. No data is sent in this process.

The attack involves the fact that this data is present on the web page itself, and is added to the DOM. An attacker using JavaScript can traverse the DOM and read the exerpts of files shown on the search page.

It cannot follow this to the document itself in the cache, and it can see nothing other than the quoted excerpt.

It's beta software, bound to be problems. This particular problem is because the object isn't "locked to the page."

The vulnerability doesn't effect any other desktop search tool that is currently available, because none of them use an object in the browser to integrate search results with their web page. All the other tools are either search your desktop or search the web, not search both at once.

Using FireFox, without the object, you won't get the integrated search results, so you won't have the problem.

Re:Professor Wallach taking all the credit?

[sfogarty]

Check out our webpage . The tone of the article is not Dan's doing. He has been more than generous with the credit, and was involved with our project and of invaluable assistance the entire time.

Re:Too Late

[eMartin]

Which, by the way, reminds me of the time a friend asked me to fix his computer, and while running a virus scan, the progress window soon started running through his porn directories flashing some pretty embarassing filenames.

And that went on for a good 10 minutes or so.

All i could say was "Well, we do need to do the virus scan."