Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Second Google Desktop Vulnerability

Posted by kdawson on from the anti-anti-anti-DNS-pinning dept.

zakkie writes "According to InfoWorld, Google's Desktop indexing engine is vulnerable to an exploit (the second such flaw to be found) that could allow crackers to read files or execute code. By exploiting a cross-site scripting vulnerability on google.com, an attacker can grab all the data off a Google Desktop. Google is said to be investigating. A security researcher is quoted: 'The users really have very little ability to protect themselves against these attacks. It's very bad. Even the experts are afraid to click on each other's links anymore.'"

4 of 80 comments (clear)

  1. Welcome to ubiquity, Google by caywen · · Score: 3, Interesting

    I wonder how many more exploits would be found if Google Desktop ended up on 90% of desktop computers?

  2. Google Desktop pre-loaded on Dells by PoconoPCDoctor · · Score: 4, Interesting

    I noticed a while ago that Google Desktop was preloaded on the Dells we buy. These Dells can wind up in areas that might access patient information. Since this is a major research hospital/medical school, I brought my concerns to the security group (HIPAA laws mandate privacy for patient information). Dell/Google assured us that this was a non-issue.

    The end result was that not much happened.

    My take? I still uninstall it whenever I see it.

    --
    "Let us raise a standard to which the wise and honest can repair" - George Washington
  3. People keep complaining bout my sig by TheLink · · Score: 3, Interesting

    People keep complaining about my sig. But they should just learn.

    Browsers suck. javascript is unsafe and most sites/webapps don't sign url/form parameters. So learn to think before you click.

    And if you are thinking of clicking on some strange stuff, open a pristine VM, and use a clean browser there (you can even "sort of" put the VM on a different network from your computer - get two NICs).

    --
  4. Doesn't affect all Google Desktop users by fname · · Score: 3, Interesting

    This doesn't appear to affect all Google Desktop users. The article talks about data being intercepted as it is sent to Google. IOW, this is only applicable for users who are storing a complete index of their hard drive on Google's servers. As if that wasn't an obvious security threat!

    Simple solution: make sure you disable the "feature" allowing you to index your hard drive on Google's servers. IMHO, a terrible feature that has caused Google far more harm than good. Many companies have banned Google Desktop because of this capability. It was even more inexcusable when it was enabled by default.

    Moral of the story: even if they aim to "do no evil," Google's self-assuredness often leaves the user paying the price for Google's mistakes.