Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Google Businesses The Internet Security

Flaw in Google's New Desktop Tool [Update: Fixed!] 266

silassewell writes "A Rice University computer scientist and two of his students have discovered a potentially serious security flaw [Sell your soul to the NYTimes to Read] in the desktop search tool for personal computers that was recently distributed by Google." Update: 12/21 03:15 GMT by T : An anonymous reader writes "It's being reported that the security problem in Google's Desktop Search has been plugged."
This discussion has been archived. No new comments can be posted.

Flaw in Google's New Desktop Tool [Update: Fixed!]

Comments Filter:
  • No Reg Required... (Score:5, Informative)

    by Anonymous Coward on Monday December 20, 2004 @01:01PM (#11138385)
    Here's a reg free link [nytimes.com] for those of us who have already sold our souls for other devious purposes ;)
    • by Anonymous Coward
      Isn't it aweful when you try to sell your soul, and then Satan gets back to you a little later, talking about a pre-existing lein? The look on His face, the patronizing way He talks down to you... I can't stand it. It's so embarrassing.
  • by pegr ( 46683 ) * on Monday December 20, 2004 @01:01PM (#11138391) Homepage Journal
    Here is the no-subscriber link via Google News [google.com], for all that self-referential goodness...

    At least they don't bury the bad news...
  • by mako1138 ( 837520 ) on Monday December 20, 2004 @01:02PM (#11138399)
    "When you put them together, out jumps a security flaw." What is this, magic?
    • by Kjella ( 173770 ) on Monday December 20, 2004 @01:09PM (#11138478) Homepage
      You have two components, which act as intended. However, the way they are merged into a product (i.e. the glue code) is flawed. If you want to be more technical, it is the kind of flaw you do not find through unit tests, only through system tests. So going from two components with no security flaws, you have a product with a security flaw. The quote is somewhat melodramatic, but accurate.

      Kjella
      • by Digital_Quartz ( 75366 ) on Monday December 20, 2004 @01:20PM (#11138630) Homepage
        Admittedly the NYT article is extremely light on details (and those details don't show up until the end of the article), but from what it sounds like, the Google search tool sends a brief chunk of each search result, whether of local or network origin, to Google, so Google can display some ads.

        These guys tricked the google search tool into sending that information somewhere else.

        So, we have a "composition flaw", between two components; Google's search tool, and... uh... a Java attack script. Hmm...

        The "flaw" here is that Google's search tool sends personal information to an external host, plain and simple. If I don't want a third party attacker seeing arbitrary parts of my hard drive's contents, I probably don't want Google seeing them either.
        • by SiliconEntity ( 448450 ) on Monday December 20, 2004 @02:52PM (#11139597)
          Admittedly the NYT article is extremely light on details (and those details don't show up until the end of the article), but from what it sounds like, the Google search tool sends a brief chunk of each search result, whether of local or network origin, to Google, so Google can display some ads.

          It does sound like that, but that would be a terrible design, wouldn't it? It would mean your private search data is being sent to Google! And Google swore up and down that they wouldn't do this.

          Actually, your private results are not sent to Google; rather, when the data comes back from Google, the toolbar mixes your private results into the web search results and passes that on to the browser. The problem is that it may not be the user directing the browser to do the request. It could be a Java applet, or maybe (with some help) some Javascript on a malicious web page. Then the nasty code sees the results and it can send them off to where they shouldn't go.
      • Actually, the flaw is that we have one domain: public http pages, mixed with a second domain: private user data. The security model for the first domain generally allows web pages to access their own content. It is assumed that the site the page originated from is supposed to be able to get it's hands on what it sent, including sending it back. Thus when we mix in the second domain: static information from the user's local files that should not be part of active content, a security vulnerabilty is created.
    • Re:what the heck (Score:5, Informative)

      by evilmousse ( 798341 ) on Monday December 20, 2004 @01:19PM (#11138606) Journal

      nooo.. it's a fairly common way to find security holes. you can identify every input and every state a program can enter, test all that to be solid, and it can still yield security flaws when working together with another peice of software. This happens most especially on the web, where multiple technologies plug into each other, and unless the sandboxing is extremely solid, a combination of programs noone considered can easily have dastardly results. i think the usefulness of a desktop search tool to any bug looking for targets to infect is pretty obvious. The settings files for the programs are easily mined for info too, if they're not already stored in that abhorrent windows registry.

    • by shotfeel ( 235240 ) on Monday December 20, 2004 @02:14PM (#11139145)
      Its like MS Windows and a PC.

      Windows, just sitting there on the CD isn't a secutity problem.

      The PC, sitting there without an operating system isn't a secutity problem.

      Put the two together -Microsoft magic!
  • by Swamii ( 594522 ) on Monday December 20, 2004 @01:05PM (#11138426) Homepage
    Your website goes here
    Google deploys their search tool
    All is exploited
  • don't worry (Score:5, Insightful)

    by AviLazar ( 741826 ) on Monday December 20, 2004 @01:06PM (#11138435) Journal
    You can all, soon, download M$'s search tool - and we all know this will invade your privacy --- on purpose that is... :D

    Programs like these (i.e. Gator password program) are the reason why I am a minimalist. I keep on my computer exactly what I need (pr0n included) and nothing else. Anything that potentially interfaces w/the web is a no-no with me (I use zone alarm, so I can see any program trying to access the net).
    • by atlasheavy ( 169115 ) on Monday December 20, 2004 @01:14PM (#11138549) Homepage
      The MSN Desktop Search tool is already available, and a hell of a lot better than google's desktop search. You can download it from http://beta.toolbar.msn.com/ [msn.com].


      Your definition of minimalism is probably different than a lot of other people's. Keep that in mind. I can't function unless I have at least a compiler, if not a full-blown IDE on the computer I'm using. Same thing goes for Photoshop and me.


      You may not have either, and may disregard the need for me or anyone else to have these. Just remember, everyone's different. Because you don't find something useful doesn't mean someone else won't.

      • I was not disregarding anyone. Being a minimalist is the same across the board - keeping it down to the minimum. I think you were jumping the gun. I just said I keep the programs that *I* *need* to a minimum. So if you need a compiler then you need it. I wonder how many people need the google desktop search tool? I mean not just "hey this is cool, or this might help" but actually need it? I have a process (it's my own so it's seemless for me) of naming my files, and my directory structure. I never hav
        • You make a good point.

          Desktop search is NEAT, but I don't need it. I keep my files organized to begin with, and since I use Mozilla at home and Thunderbird at work, none of the "tools" out there will help me search my e-mail anyway.

          It's really a utility for the people who save files wherever the program defaults to, and never know where that is, who have their files scattered all over creation, and who need help organizing their data.
          • Some people think they need it. I just had a conversation with my co-worker - she keeps every piece of e-mail she gets (she is the IT manager, and subscribes to groups, gets all the spam caught mail etc, which amounts to about 1000 e-mails in all each day). She likes it for searching through her e-mails, which according to her is way faster then Outlooks search ability.

            So people need it for various reasons...part of my needs is Zone Alarm, for nothing else then to block these programs from accessing th
            • well over ZA's dead body

              Yes, Zone Alarm can be as annoying as Hell, and it can be a pain in the neck at times, but the payoff of having application by application control over Internet access is priceless.

              Although one of these days I really need to get around to configuring it so it doesn't block SMB shares. I don't need it often, but when I do it's annoying to end up turning off ZA during the copy process.
              • It's so useful. I was having hopes for M$'s firewall, but I noticed that certain programs can automatically override it and insert themselves as "OK" programs to access the net (iTunes for example). Kind of annoying. Plus I do not see a list of every app the accesses the net, so that kinda worries me.
    • by doublem ( 118724 ) on Monday December 20, 2004 @01:15PM (#11138561) Homepage Journal
      Kudos to you for admitting your need for p0rn.

      Far too many people let shame take away their abilty to admit they like the stuff.
      • Shame!?

        If i start telling people about my multi terabyte porn collection they start asking me to send it to them!!

        wait... umm I don't have any porn.. nothing to see here...
        • > If i start telling people about my multi terabyte porn collection they start asking me to send it to them!!
          >
          >wait... umm I don't have any porn.. nothing to see here...

          So, umm, then you've got nothing to lose by installing Google Desktop Search or MSN Desktop Search, or anybody else's Desktop Search utility then, right?

          *taps foot for ten seconds*

          So have you installed it yet? Huh? Haveya haveya haveya? Whenyagonna? Huh? Huh?

    • sure google can do no wrong, eh?
      *cough* the never expiring google tracking cookie *cough* the full featured toolbar is spyware.

      Ironically, MS doesn't want your private info, the data miners google sells data to do.
  • by winkydink ( 650484 ) * <sv.dude@gmail.com> on Monday December 20, 2004 @01:09PM (#11138488) Homepage Journal
    The Google desktop program includes an update feature that permits the company to automatically install new versions of the program on users' computers without user intervention or knowledge.

    Many will not like this concept, but I am happy to learn, I don't have to uninstall, re-install, and re-index to ensure I have it fixed.

    • "The Google desktop program includes an update feature that permits the company to automatically install new versions of the program on users' computers without user intervention or knowledge.

      Many will not like this concept, but I am happy to learn, I don't have to uninstall, re-install, and re-index to ensure I have it fixed."

      I much prefer to have a button "Check for updates and install now" or "Download, but don't mess with the setup (i.e. install) until I tell you". But I still don't want to, nor need
      • You're right. I already hear too much, " but it worked fine yesterday and I haven't done anything to my computer." I don't need updates happening behind my back to make things even worse.

        • I don't need updates happening behind my back to make things even worse.

          Yes, but you're in some sort of IT field. Most users, given the option of downloading and installing security patches, will not. That's why MS has been in so much trouble about not having that on by default, and why they turned it on in XP SP2.

  • Fix for the flaw (Score:5, Informative)

    by alphakappa ( 687189 ) on Monday December 20, 2004 @01:09PM (#11138489) Homepage
    Google has already fixed the problem, and if you are using GDS, you should have the updated version since GDS updates automatically without user intervention. If you neeed to check, your version number should be 121,004 (or above). I verified from my firewall that my version was updated yesterday. (Apparently Google has been rolling out the updates since December 10)
    • by Otter ( 3800 ) on Monday December 20, 2004 @01:21PM (#11138635) Journal
      ...since GDS updates automatically without user intervention.

      Next Google "scandal": GDS updates automatically without user intervention!!!

      • This is a serious reason not to run Windows.

        Too much software assumes it can rewrite and install/upgrade itself.

        I want to install software as admin and not as the user.
        • I want to install software as admin and not as the user.

          Windows has the admin/user distinction too (at least in 32-bit versions). The "every user an admin" situation in Windows is more cultural than technical.

          I don't want to minimize the security flaws in Windows -- of which there are way too many. But security has a social component too. Right now, most computer users are to some degree their own system administrator -- and most of them just don't have the skills to do it.

          It's perfectly simple to set

      • by imsabbel ( 611519 ) on Monday December 20, 2004 @01:56PM (#11138976)
        No need for "" around the scandal: Its an app than is supposed to index all private information on a local pc (Email/documents/ect). It has to to be usefull.
        I dont want such a critical program auto-updating without even giving the user a notice that he isnt running the same software version anymore.
        Alone the fact that a new version can be downloaded and automatically executed SCREAMS security issue. One spoof/hack and we have a ton of google desktop zombies waiting for commands....
    • Re:Fix for the flaw (Score:5, Informative)

      by jeblucas ( 560748 ) <jeblucasNO@SPAMgmail.com> on Monday December 20, 2004 @01:33PM (#11138754) Homepage Journal
      your version number should be 121,004 (or above)
      I'm going to go out on a limb and guess that Google's version number there is 121004, not because they want it read as "one hundred twenty-one thousand and four", but rather as "December 10th, 2004". Don't panic if it rolls back to 011605 next month.
      • What you say makes a lot of sense (which means that my "or above" statement is not valid).
      • correction again: maybe we should then interpret "or above" as the next date above 12-10-04. I think a versioning system that uses year-month-day would be easier to interpret than the month-day-year being used :-)
        • by pjt33 ( 739471 )
          Not to mention that it's a good habit to get into because it can be sorted lexicographically. (Think ls putting your dated backup tarballs in the correct order, for example).
  • Better link (Score:3, Informative)

    by Anonymous Coward on Monday December 20, 2004 @01:12PM (#11138516)
    From the researchers themselves, [rice.edu] rather than the NYT's garbled take on it.
  • by grahamsz ( 150076 ) on Monday December 20, 2004 @01:12PM (#11138524) Homepage Journal
    The article seemed a little vague, but i started investigating this when google desktop first came out.

    GDS runs a webserver on your computer which any local application can query, including any java or activex app with outgoing http priviledges.

    Google stop this by requiring that some sort of random ID as a key to access the page. This ID is generated as part of the url when you double click on the GDS icon in the taskbar.

    It's also embedded into any results page that comes back from google, and you can exploit this by having the java applet first request www.google.com, find the link to GDS, then run a GDS search, then return those results via another web request to a remote host.

    But it sounds like it's fixed, so that's good.
    • by sfogarty ( 758783 ) on Monday December 20, 2004 @01:33PM (#11138747)
      Not quite. Again, I recomend checking the webpage [rice.edu], but since I know most of you won't (I wouldn't)... Go install google desktop. Go to google.com. Do a search. Notice it says 'local results found:' and includes small snippets of the local results. We can get those snippets for arbitrary searches by making our own requests to Google. The local data is integrated after the reponse comes back from Google, but before we get it. The only tricky bit is making the requests to google.com through an applet, since the applet is not allowed to connect to google.com, only the originating host. Luckily we can run a web proxy on our originating host and still get the integration results. We don't even have to return the right google.com search result... we can just replay an old page.
  • by jpvlsmv ( 583001 ) on Monday December 20, 2004 @01:12PM (#11138526) Homepage Journal
    Was this flaw enough to gain a passing grade, unlike DJB's students [slashdot.org]

    --Joe
  • by 31415926535897 ( 702314 ) on Monday December 20, 2004 @01:13PM (#11138537) Journal
    "An attack would require a user to visit the attacker's Web site first, and any type of Web browser could make a user vulnerable."

    It seems like most non-email Internet attacks require you to visit an attacker's website before the payload can be delivered (there are some good articles about this at ISC [sans.org]). I would tend to think that unpatched browsers (<cough>IE<cough>) would still cause more problems that this.

    Don't misunderstand me, though; I am not trying to excuse Google from the flaw, but the good news is that it's already fixed, and I'm sure the scum of the Internet are going to focus on these other (exciting, money-making) opportunities.

    PS. I know Seth Fogarty, does that give me some sort of karma bonus ;-)
  • by KublaiKhan ( 522918 ) on Monday December 20, 2004 @01:14PM (#11138546) Homepage Journal
    ...by their implementation of the exploit. Using Java as an exploit-crafting tool is really quite ingenious. Perhaps we'll see more of this in the future: seeing as Java runs in a sandbox, it would be very difficult to put a viral load on a distributed exploit. .....of course, that just means that it makes life safer for the script kiddies....so perhaps this isn't a good idea after all.
  • Makes you wonder what this could be used for.

    It's a dream exploit for finding users with illegal mp3s or video.

    Trying to steal confidential information isn't so easy, since you'd have to have a fairly good idea what to search for first.

    • It's a dream exploit for finding users with illegal mp3s or video.
      Other than this being completely illegal. This small thing called due process would through any evidence gathered in this manner out. Plus, they themselves would be (probably) committing a federal crime of unauthorized access of a computer system.
      • What you say is true, but there are already cases of the law applying in lopsided ways with regards to little guys versus big guys. I don't have the faith in the system to believe that the point you made would be that much of an obsticle. Someone would find a legalistic loophole, or invent one.
      • Re:Potential Uses (Score:3, Insightful)

        by Methuseus ( 468642 )
        So the RIAA or whatever would be given a small fine of around $100,000 and would sue the person even though there's no hard evidence. The lawsuit would cost quite a bit of money to the defendant, and, even if the RIAA couldn't win, the defendant wouldn't be able to afford to keep going.
  • Big Deal (Score:3, Insightful)

    by crowemojo ( 841007 ) on Monday December 20, 2004 @01:18PM (#11138597)
    The Rice group was able to create a Java program that makes network connections back to the computer from where it was downloaded and then make it appear as if it were asking for a search at Google.com. That was enough to fool the Google desktop software into providing the user's search information. The program was able to do anything with the results, including transmitting them back to the attacking site.

    So let me get this straight, after successfully fooling a user that the site they are seeing is legit when it's actually spoofed, then they can get the results of local search queries, potentially seeing parts of a file. Don't get me wrong, that kind of stinks and all, but if you have already fooled someone into believing the sites they are looking at are legit, why bother with this? Show them a gmail login, or a yahoo mail login, or if you know a bit about them, their internet banking login.

    This security flaw doesn't seem like that big of a deal and if anything, it highlights that Google is being proactive about such things; addressing the issue and releasing fixed software in a reasonable amount of time. Kudos.
  • How it works (Score:5, Informative)

    by SiliconEntity ( 448450 ) on Monday December 20, 2004 @01:29PM (#11138714)
    A web page on the attack is http://seclab.cs.rice.edu/ [rice.edu] which also links to a technical report [rice.edu].

    The way it works is actually pretty simple. What happens normally is that the toolbar watches your outgoing and incoming web connections. When you make a Google query, it detects that and does a local search of its index of your disk. When the results come back from Google, it mixes in the results from the web with the results from your disk. This design is to protect your privacy.

    The attack is for a malicious site to download a Java applet to your system. This applet does a Google query (via the malicious site as a proxy, to defeat applet sandboxing), and then reads the results which come back. When the results get back to the applet they have gone through the Google toolbar and gotten the local disk results integrated. The applet then sends the data to the malicious site, and presto, it knows a lot about the contents of your disk.
    • When you make a Google query, it detects that and does a local search of its index of your disk. When the results come back from Google, it mixes in the results from the web with the results from your disk.

      Remind me again why I need this?

      I dunno... there's too many solutions looking for problems out there.

    • by mcc ( 14761 )
      It's basically just a man-in-the-middle attack, where a site that isn't google poses as google and then takes the information intended for google?

      Well, um, that's a pretty well-solved problem, isn't it? Just have the google search agent thingy use SSL, and refuse to let it incorporate local data unless the SSL cert checks out as Google's. Problem solved? Or am I missing something?
  • by HarveyBirdman ( 627248 ) on Monday December 20, 2004 @01:31PM (#11138731) Journal
    Maybe they need to start making a list of software WITHOUT security flaws. It would save space.

    Then again, I'm sure someone will find an exploit in Calculator or Freecell given time.

  • false alarm (Score:5, Funny)

    by kevinx ( 790831 ) on Monday December 20, 2004 @01:33PM (#11138759)
    you had me worried for a sec. I thought there might have been a secret button that pops up that says, "find your husband's porn".
    • Too Late (Score:3, Insightful)

      by eMartin ( 210973 )
      You know, she's probably already found it.

      I know a few people who think their porn is hidden on their computer, but those who live with them say otherwise.

      Just think of all of the recent file lists and last used directories in your media players or image viewers, system logs with errors for codecs and paths to the problem files, browser history autocomplete and cookie names, disks with "missing" space or restricted directories, and the good old file search for mpg, avi, wmv, etc.

      You're probably not the o
      • Re:Too Late (Score:4, Funny)

        by eMartin ( 210973 ) on Monday December 20, 2004 @02:31PM (#11139329)
        Which, by the way, reminds me of the time a friend asked me to fix his computer, and while running a virus scan, the progress window soon started running through his porn directories flashing some pretty embarassing filenames.

        And that went on for a good 10 minutes or so.

        All i could say was "Well, we do need to do the virus scan."
  • already fixed! (Score:3, Informative)

    by museumpeace ( 735109 ) on Monday December 20, 2004 @01:33PM (#11138762) Journal
    from the NYT article:
    ...The researchers said that Google had responded quickly to their alert last month and had begun releasing a corrected version of the program on Dec. 10....
    BTW, CNET reported this last night.
    [obligatory jab at microsoft,typical at this point in a comment, is being left as an exercise for the readers....]
  • by caluml ( 551744 ) <slashdotNO@SPAMspamgoeshere.calum.org> on Monday December 20, 2004 @01:38PM (#11138796) Homepage
    Stop the press! Bug in beta app! "Oh no!" Waves hands in the air, and runs around in circles. "Who will save us now? Who will save us?!!"
  • by dbacher ( 804594 ) <dave.bacher@earthlink.net> on Monday December 20, 2004 @02:09PM (#11139099) Homepage
    Here is how the attack works.

    This is based on Wired's much more clear and coherent description.

    Desktop search installs an object that the browser instantiates on Google web pages to render local results along side of google results. No data is sent in this process.

    The attack involves the fact that this data is present on the web page itself, and is added to the DOM. An attacker using JavaScript can traverse the DOM and read the exerpts of files shown on the search page.

    It cannot follow this to the document itself in the cache, and it can see nothing other than the quoted excerpt.

    It's beta software, bound to be problems. This particular problem is because the object isn't "locked to the page."

    The vulnerability doesn't effect any other desktop search tool that is currently available, because none of them use an object in the browser to integrate search results with their web page. All the other tools are either search your desktop or search the web, not search both at once.

    Using FireFox, without the object, you won't get the integrated search results, so you won't have the problem.
  • Common Sense (Score:3, Interesting)

    by dshaw858 ( 828072 ) on Monday December 20, 2004 @02:25PM (#11139265) Homepage Journal
    I think it's common sense that if you install a third party tool to index your hard drive, especially one with internet access, you're setting yourself up for disaster. I love Google as much as the next guy, but having a tool that handily stores all of that information is a blatant security risk. Sure MS search is slow (for my Windows boxes), and I'm not even sure if GDS even was released for linux (updatedb | locate something | grep something-more-specific)... but if you're going to index your hard drive, you're taking a risk. I don't see why this would surpise anyone all that much.

    - dshaw
  • ..in Soviet Russia, web searches YOU! Oh, umm...
  • by prat393 ( 757559 ) on Monday December 20, 2004 @03:36PM (#11140107)
    Here's Rice's security lab post about the flaw: clicky [rice.edu]

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...