Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw in Google's New Desktop Tool [Update: Fixed!]

Posted by CmdrTaco on from the well-that's-just-not-good dept.

silassewell writes "A Rice University computer scientist and two of his students have discovered a potentially serious security flaw [Sell your soul to the NYTimes to Read] in the desktop search tool for personal computers that was recently distributed by Google." Update: 12/21 03:15 GMT by T : An anonymous reader writes "It's being reported that the security problem in Google's Desktop Search has been plugged."

24 of 266 comments (clear)

  1. No Reg Required... by Anonymous Coward · · Score: 5, Informative

    Here's a reg free link for those of us who have already sold our souls for other devious purposes ;)

  2. Google Link (of course!) by pegr · · Score: 4, Informative

    Here is the no-subscriber link via Google News, for all that self-referential goodness...

    At least they don't bury the bad news...

    1. Re:Google Link (of course!) by FortKnox · · Score: 4, Insightful

      Or, you could simply use Bug Me Not. It even has a firefox plugin.

      The whole Sell your soul to the NYTimes to Read is getting old... actually it was old a year ago, and now its simply ridiculous.

      --
      Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
    2. Re:Google Link (of course!) by Martin+Blank · · Score: 4, Informative

      NYT (and many others) now scour BugMeNot to kill those accounts that are posted. I suspect they do it by script a couple of times a week, as the logins don't seem to work for me after a day or two.

      --
      You can never go home again... but I guess you can shop there.
  3. It's already been fixed by Anonymous Coward · · Score: 5, Informative

    http://news.com.com/Google+Weve+fixed+desktop+sear ch+tool+flaw/2100-1002_3-5497885.html?tag=nefd.top

    1. Re:It's already been fixed by WIAKywbfatw · · Score: 4, Funny

      So this story is a case of "All your BS are belong to us"?

      --

      "Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
  4. don't worry by AviLazar · · Score: 4, Insightful

    You can all, soon, download M$'s search tool - and we all know this will invade your privacy --- on purpose that is... :D

    Programs like these (i.e. Gator password program) are the reason why I am a minimalist. I keep on my computer exactly what I need (pr0n included) and nothing else. Anything that potentially interfaces w/the web is a no-no with me (I use zone alarm, so I can see any program trying to access the net).

    --

    I mod down so you can mod up. Your welcome.
    1. Re:don't worry by atlasheavy · · Score: 4, Funny
      The MSN Desktop Search tool is already available, and a hell of a lot better than google's desktop search. You can download it from http://beta.toolbar.msn.com/.


      Your definition of minimalism is probably different than a lot of other people's. Keep that in mind. I can't function unless I have at least a compiler, if not a full-blown IDE on the computer I'm using. Same thing goes for Photoshop and me.


      You may not have either, and may disregard the need for me or anyone else to have these. Just remember, everyone's different. Because you don't find something useful doesn't mean someone else won't.

      --

      iRooster, the Mac OS X a
    2. Re:don't worry by doublem · · Score: 4, Funny

      Kudos to you for admitting your need for p0rn.

      Far too many people let shame take away their abilty to admit they like the stuff.

      --
      "Live Free or Die." Don't like it? Then keep out of the USA
  5. It is a dumbed-down explaination... by Kjella · · Score: 4, Interesting

    You have two components, which act as intended. However, the way they are merged into a product (i.e. the glue code) is flawed. If you want to be more technical, it is the kind of flaw you do not find through unit tests, only through system tests. So going from two components with no security flaws, you have a product with a security flaw. The quote is somewhat melodramatic, but accurate.

    Kjella

    --
    Live today, because you never know what tomorrow brings
  6. Fix for the flaw by alphakappa · · Score: 4, Informative

    Google has already fixed the problem, and if you are using GDS, you should have the updated version since GDS updates automatically without user intervention. If you neeed to check, your version number should be 121,004 (or above). I verified from my firewall that my version was updated yesterday. (Apparently Google has been rolling out the updates since December 10)

    --
    "When the only tool you own is a hammer, every problem begins to resemble a nail." - Abraham Maslow (1908-1970)
    1. Re:Fix for the flaw by Otter · · Score: 4, Funny
      ...since GDS updates automatically without user intervention.

      Next Google "scandal": GDS updates automatically without user intervention!!!

      --
      What I'm listening to now on Pandora...
    2. Re:Fix for the flaw by jeblucas · · Score: 4, Informative
      your version number should be 121,004 (or above)
      I'm going to go out on a limb and guess that Google's version number there is 121004, not because they want it read as "one hundred twenty-one thousand and four", but rather as "December 10th, 2004". Don't panic if it rolls back to 011605 next month.
      --
      blarg.
  7. How it's probably done by grahamsz · · Score: 4, Interesting

    The article seemed a little vague, but i started investigating this when google desktop first came out.

    GDS runs a webserver on your computer which any local application can query, including any java or activex app with outgoing http priviledges.

    Google stop this by requiring that some sort of random ID as a key to access the page. This ID is generated as part of the url when you double click on the GDS icon in the taskbar.

    It's also embedded into any results page that comes back from google, and you can exploit this by having the java applet first request www.google.com, find the link to GDS, then run a GDS search, then return those results via another web request to a remote host.

    But it sounds like it's fixed, so that's good.

    1. Re:How it's probably done by sfogarty · · Score: 4, Informative

      Not quite. Again, I recomend checking the webpage , but since I know most of you won't (I wouldn't)... Go install google desktop. Go to google.com. Do a search. Notice it says 'local results found:' and includes small snippets of the local results. We can get those snippets for arbitrary searches by making our own requests to Google. The local data is integrated after the reponse comes back from Google, but before we get it. The only tricky bit is making the requests to google.com through an applet, since the applet is not allowed to connect to google.com, only the originating host. Luckily we can run a web proxy on our originating host and still get the integration results. We don't even have to return the right google.com search result... we can just replay an old page.

  8. Congratulations! by Tibor+the+Hun · · Score: 5, Funny

    Not only did you get a -1 redundant, but you also got it on a 1st Post!
    This elusive prize is given by sharp moderators who rate your posts on the basis of what future posts might contain!

    Do break your paragraphs next time.

    --
    If you don't know what AltaVista is (was), get off my lawn.
  9. Re:what the heck by evilmousse · · Score: 5, Informative


    nooo.. it's a fairly common way to find security holes. you can identify every input and every state a program can enter, test all that to be solid, and it can still yield security flaws when working together with another peice of software. This happens most especially on the web, where multiple technologies plug into each other, and unless the sandboxing is extremely solid, a combination of programs noone considered can easily have dastardly results. i think the usefulness of a desktop search tool to any bug looking for targets to infect is pretty obvious. The settings files for the programs are easily mined for info too, if they're not already stored in that abhorrent windows registry.

  10. No, it is a dumb explaination... by Digital_Quartz · · Score: 4, Insightful

    Admittedly the NYT article is extremely light on details (and those details don't show up until the end of the article), but from what it sounds like, the Google search tool sends a brief chunk of each search result, whether of local or network origin, to Google, so Google can display some ads.

    These guys tricked the google search tool into sending that information somewhere else.

    So, we have a "composition flaw", between two components; Google's search tool, and... uh... a Java attack script. Hmm...

    The "flaw" here is that Google's search tool sends personal information to an external host, plain and simple. If I don't want a third party attacker seeing arbitrary parts of my hard drive's contents, I probably don't want Google seeing them either.

    1. Re:No, it is a dumb explaination... by SiliconEntity · · Score: 5, Informative

      Admittedly the NYT article is extremely light on details (and those details don't show up until the end of the article), but from what it sounds like, the Google search tool sends a brief chunk of each search result, whether of local or network origin, to Google, so Google can display some ads.

      It does sound like that, but that would be a terrible design, wouldn't it? It would mean your private search data is being sent to Google! And Google swore up and down that they wouldn't do this.

      Actually, your private results are not sent to Google; rather, when the data comes back from Google, the toolbar mixes your private results into the web search results and passes that on to the browser. The problem is that it may not be the user directing the browser to do the request. It could be a Java applet, or maybe (with some help) some Javascript on a malicious web page. Then the nasty code sees the results and it can send them off to where they shouldn't go.

  11. How it works by SiliconEntity · · Score: 4, Informative

    A web page on the attack is http://seclab.cs.rice.edu/ which also links to a technical report.

    The way it works is actually pretty simple. What happens normally is that the toolbar watches your outgoing and incoming web connections. When you make a Google query, it detects that and does a local search of its index of your disk. When the results come back from Google, it mixes in the results from the web with the results from your disk. This design is to protect your privacy.

    The attack is for a malicious site to download a Java applet to your system. This applet does a Google query (via the malicious site as a proxy, to defeat applet sandboxing), and then reads the results which come back. When the results get back to the applet they have gone through the Google toolbar and gotten the local disk results integrated. The applet then sends the data to the malicious site, and presto, it knows a lot about the contents of your disk.

  12. Intruder Alert. Kill the humanoid. by HarveyBirdman · · Score: 4, Funny
    Maybe they need to start making a list of software WITHOUT security flaws. It would save space.

    Then again, I'm sure someone will find an exploit in Calculator or Freecell given time.

    --
    --- Ban humanity.
  13. false alarm by kevinx · · Score: 5, Funny

    you had me worried for a sec. I thought there might have been a secret button that pops up that says, "find your husband's porn".

  14. Re:what the heck by shotfeel · · Score: 4, Funny

    Its like MS Windows and a PC.

    Windows, just sitting there on the CD isn't a secutity problem.

    The PC, sitting there without an operating system isn't a secutity problem.

    Put the two together -Microsoft magic!

  15. Re:Professor Wallach taking all the credit? by sfogarty · · Score: 4, Informative

    Check out our webpage . The tone of the article is not Dan's doing. He has been more than generous with the credit, and was involved with our project and of invaluable assistance the entire time.