Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw in Google's New Desktop Tool [Update: Fixed!]

Posted by CmdrTaco on from the well-that's-just-not-good dept.

silassewell writes "A Rice University computer scientist and two of his students have discovered a potentially serious security flaw [Sell your soul to the NYTimes to Read] in the desktop search tool for personal computers that was recently distributed by Google." Update: 12/21 03:15 GMT by T : An anonymous reader writes "It's being reported that the security problem in Google's Desktop Search has been plugged."

6 of 266 comments (clear)

  1. No Reg Required... by Anonymous Coward · · Score: 5, Informative

    Here's a reg free link for those of us who have already sold our souls for other devious purposes ;)

  2. It's already been fixed by Anonymous Coward · · Score: 5, Informative

    http://news.com.com/Google+Weve+fixed+desktop+sear ch+tool+flaw/2100-1002_3-5497885.html?tag=nefd.top

  3. Congratulations! by Tibor+the+Hun · · Score: 5, Funny

    Not only did you get a -1 redundant, but you also got it on a 1st Post!
    This elusive prize is given by sharp moderators who rate your posts on the basis of what future posts might contain!

    Do break your paragraphs next time.

    --
    If you don't know what AltaVista is (was), get off my lawn.
  4. Re:what the heck by evilmousse · · Score: 5, Informative


    nooo.. it's a fairly common way to find security holes. you can identify every input and every state a program can enter, test all that to be solid, and it can still yield security flaws when working together with another peice of software. This happens most especially on the web, where multiple technologies plug into each other, and unless the sandboxing is extremely solid, a combination of programs noone considered can easily have dastardly results. i think the usefulness of a desktop search tool to any bug looking for targets to infect is pretty obvious. The settings files for the programs are easily mined for info too, if they're not already stored in that abhorrent windows registry.

  5. false alarm by kevinx · · Score: 5, Funny

    you had me worried for a sec. I thought there might have been a secret button that pops up that says, "find your husband's porn".

  6. Re:No, it is a dumb explaination... by SiliconEntity · · Score: 5, Informative

    Admittedly the NYT article is extremely light on details (and those details don't show up until the end of the article), but from what it sounds like, the Google search tool sends a brief chunk of each search result, whether of local or network origin, to Google, so Google can display some ads.

    It does sound like that, but that would be a terrible design, wouldn't it? It would mean your private search data is being sent to Google! And Google swore up and down that they wouldn't do this.

    Actually, your private results are not sent to Google; rather, when the data comes back from Google, the toolbar mixes your private results into the web search results and passes that on to the browser. The problem is that it may not be the user directing the browser to do the request. It could be a Java applet, or maybe (with some help) some Javascript on a malicious web page. Then the nasty code sees the results and it can send them off to where they shouldn't go.