Security hole found in Google desktop search

IDG News Service - Researchers at Rice University have discovered what they say is a flaw in the beta version of Google Inc.'s Desktop Search product that could allow third parties to access users' search result summaries, providing a sneak peek at part of the content of personal files.
A description of the flaw, which was discovered by Rice computer science professor Dan Wallach and two graduate students, was posted on the university's Computer Security Lab Web site late yesterday. The researchers labeled the glitch "serious" and said it could allow attackers to read snippets of files embedded in Google's normal Web searches by the local search engine.
Google was notified of the flaw and has fixed it in an update that is currently being rolled out through an auto-update feature, the company said today.
The Rice researchers said users can check if they have the updated version by selecting the About icon on their Google Desktop Search task bars. If it says Version No. 121004, indicating Dec. 10, 2004, or later, they are safe, the researchers said.
To be affected, a user would have to visit a Web site where an attacker has embedded a particular Java applet. The applet makes certain network connections that trick Google Desktop into integrating a user's local search results with results from an online search. When users visit the compromised site, the applet reads their local search result summaries and sends them back to the attacker's server, they said.
Summaries from Google Desktop searches often contain snippets of content from personal files, and it is this content that the attacker is able to read, the researchers said.
Users on wireless networks can be attacked even if they aren't visiting a compromised site if the attacker tampers with the network connections being made by the user's Web browser, the researchers said. By doing this, the attack could be injected into any other Web page, they said.
In October, Google released a beta version of its desktop search product (see story) that allows users to search PC files, local e-mail messages and archived chat sessions. It joined an industry stampede into the local search space -- America Online Inc., Yahoo Inc. and Microsoft Corp. all are offering desktop search tools.
Other desktop search products aren't believed to have the flaw, however, since Google's is the only one that seamlessly integrates local search results with those of online searches, the researchers said.

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.