Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Second Google Desktop Vulnerability

Posted by kdawson on Saturday February 24, 2007 @08:47PM from the anti-anti-anti-DNS-pinning dept.

zakkie writes "According to InfoWorld, Google's Desktop indexing engine is vulnerable to an exploit (the second such flaw to be found) that could allow crackers to read files or execute code. By exploiting a cross-site scripting vulnerability on google.com, an attacker can grab all the data off a Google Desktop. Google is said to be investigating. A security researcher is quoted: 'The users really have very little ability to protect themselves against these attacks. It's very bad. Even the experts are afraid to click on each other's links anymore.'"

3 of 80 comments (clear)

Min score:

Reason:

Sort:

Misleading summary by Potor · 2007-02-24 21:22 · Score: 4, Informative

TFA is clear that this does not refer to the Google Desktop vulnerability in specific, but rather to the general state of browser security. TFA:
"A lot of these new attack techniques are going to require the browsers to improve," Grossman said. "The users really have very little ability to protect themselves against these attacks" he said. "It's very bad. Even the experts are afraid to click on each other's links anymore."
Re:Experts? by value_added · 2007-02-25 01:05 · Score: 3, Informative

[T]hey run it just like it's supposed to be, as a VMWare image sandboxed inside their *nix/BSD workstation.

BSD isn't supported as a VMWare host OS.
Re:Doesn't affect all Google Desktop users by blchrist · 2007-02-25 09:27 · Score: 2, Informative

If you read the whole whitepaper, the authors say (p15) that an attacker could use the vulnerability to turn on the "search across computers" feature.
The whitepaper is well written and worth the read. It's a pretty scary vulnerability.