Google Desktop Search Buggy, Fixed

Researchers at Rice University makes public a bug in Google Desktop Search that could let hackers secretly search the contents of a user's hard drive.

December 20, 2004

2 Min Read
NetworkComputing logo in a gray background | NetworkComputing

Researchers at Rice University on Monday made public a bug in Google Desktop Search that could let hackers secretly search the contents of a user's hard drive. Google, which was made aware of the flaw last month, has created a fix and is updating the software automatically as users connect to the Internet.

Dan Wallach, an assistant professor of computer science at Houston's Rice University, discovered the vulnerability with the help of two graduate students, Seth Fogarty and Seth Nielson. Wallach characterized the flaw as "serious," and said in an online advisory posted to the Computer Security Lab's Web site that an attacker would be able to read small pieces of files indexed by Google Desktop Search.

"If you had a file with a list of passwords, for example, an attacker might be able to read some of those passwords," said Wallach in the advisory.

The hacker, said Wallach, would most likely have to entice users to a Web site that hosted a malicious Java applet, but other scenarios -- including unsecured Wi-Fi connections, such as those in public hotspots -- might let the attacker inject the exploit into any Web page.

Google isn't the only search site that's pushing into desktop search. While it beat rivals to market by releasing the free-of-charge Desktop Search in mid-October, Microsoft, Yahoo, and Ask Jeeves recently released preview versions of similar tools or announced that they would debut tools shortly.Wallach and his two graduate students believe that only Google is vulnerable to this bug, since it's the only one so far to actually integrate Web and local search results.

Google, which was told in November of the goof, has updated the tool and begun rolling out a new version via its automatic update feature. Users can check the "About" item in Desktop Search to determine if they have the protected edition: if the version number is 121004 (for December 10, 2004) or newer, the user's safe from the bug.

A more technical explanation of the Desktop Search problem can be found here in PDF format.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights