A Second Google Desktop Vulnerability

zakkie writes "According to InfoWorld, Google's Desktop indexing engine is vulnerable to an exploit (the second such flaw to be found) that could allow crackers to read files or execute code. By exploiting a cross-site scripting vulnerability on google.com, an attacker can grab all the data off a Google Desktop. Google is said to be investigating. A security researcher is quoted: 'The users really have very little ability to protect themselves against these attacks. It's very bad. Even the experts are afraid to click on each other's links anymore.'"

I can't be the only one...

[Wilson_6500]

Even the experts are afraid to click on each other's links anymore.

Does anyone else think that was tremendously funny in a sixth-grade-humor sort of way? Maybe I just am up too early.

Welcome to ubiquity, Google

[caywen]

I wonder how many more exploits would be found if Google Desktop ended up on 90% of desktop computers?

Re:Experts?

[MichaelSmith]

Certainly.. they run it just like it's supposed to be, as a VMWare image sandboxed inside their *nix/BSD workstation. Again, anyone that's using a web browser running under the same account permissions as any sensitive data on that machine is _not_ a security "expert".

Yes, I agree with you. But where I work if you are in any senior position you would be running windows on your desktop. Our "IT manager" has no IT experience at all, beyond knowing who has what contracts. Thats the guy in charge of security.

Google Desktop pre-loaded on Dells

[PoconoPCDoctor]

I noticed a while ago that Google Desktop was preloaded on the Dells we buy. These Dells can wind up in areas that might access patient information. Since this is a major research hospital/medical school, I brought my concerns to the security group (HIPAA laws mandate privacy for patient information). Dell/Google assured us that this was a non-issue.

The end result was that not much happened.

My take? I still uninstall it whenever I see it.

People keep complaining bout my sig

[TheLink]

People keep complaining about my sig. But they should just learn.

Browsers suck. javascript is unsafe and most sites/webapps don't sign url/form parameters. So learn to think before you click.

And if you are thinking of clicking on some strange stuff, open a pristine VM, and use a clean browser there (you can even "sort of" put the VM on a different network from your computer - get two NICs).

Who uses this crap anyway?

I tried google desktop... consumed 10gb of disk space, had a process that ran 100% cpu eating nearly 700MB of ram, and kept indexing usb devices so you couldn't eject them. All this and it couldn't tell when you moved a file from one directory to another... or deleted it entirely! Hell the Windows XP "Search" can at least find a file if you know the name of it.

Doesn't affect all Google Desktop users

[fname]

This doesn't appear to affect all Google Desktop users. The article talks about data being intercepted as it is sent to Google. IOW, this is only applicable for users who are storing a complete index of their hard drive on Google's servers. As if that wasn't an obvious security threat!

Simple solution: make sure you disable the "feature" allowing you to index your hard drive on Google's servers. IMHO, a terrible feature that has caused Google far more harm than good. Many companies have banned Google Desktop because of this capability. It was even more inexcusable when it was enabled by default.

Moral of the story: even if they aim to "do no evil," Google's self-assuredness often leaves the user paying the price for Google's mistakes.

Snort signatures here:

[farker+haiku]

I've said it before and I'll say it again. Snort signatures available here