20 Dec 2004: Google Desktop Security Issue
We found that the Google Desktop personal search engine contained a serious security flaw that would allow a third party to read the search result summaries that are embedded in normal Google web searches by the local search engine.
An attacker would not be able to read your files directly, but the search results often contain snippets of your files. If you had a file with a list of web passwords, for example, an attacker might be able to read some of those passwords.
Has Google fixed this?
We made Google aware of the issue in late November. They have redesigned the embedding mechanism to prevent our attack and are now distributing a version that is not vulnerable. The Google Desktop application has an auto-update feature, and Google is rolling the updates out right now.
How can I tell if I have the new version?
From the Google Desktop icon in your task bar, select “About.” If the version number is 121004 (December 10, 2004) or more recent, then you’re safe.
What should I do if I’m running an older version?
In the Preferences dialog, you may deselect the checkbox for “Show Desktop Search results on Google Web Search result pages”. If you do this, you will also defeat the attack. You can still safely search your local computer; you just won’t see local search results integrated into Google web searches. The Google Desktop software will eventually update itself automatically.
Does it matter what web browser I use?
Any browser is vulnerable to this attack, so long as Google Desktop is integrating local search results into web searches performed at Google.com.
How does the attack work?
The user must visit the web page of a potential attacker. The attacker includes a Java applet in the web page. This applet will appear to the user as a normal part of the web page, but it will also make certain network connections that trick the Google Desktop into integrating its local search results, even though the applet never actually connects to Google. The applet can then read these integrated results and transmit them back to the attacker’s web server.
Furthermore, in cases where the user’s computer network is subject to “man-in-the-middle” attacks, including most 802.11 wireless networks, particularly when used in public locations, the user need not explicitly visit the attacker’s web page. The attacker could tamper with the network connections being made by the user’s web browser and could inject the attack into any other web page.
What about other desktop search programs?
As far as we know, Google Desktop is the only local search engine whose results are seamlessly integrated with web search results. Other local search engines do not have this feature, so would be safe from our attack. We have not yet done a detailed examination of these other search engines, so we cannot say whether other vulnerabilities might exist.
Who discovered this flaw?
This work was a collaboration by Seth Fogarty and Seth Nielson (Rice graduate students), advised by Dan Wallach (a Rice professor). The work began as a final project in Wallach’s Computer Systems Security course.
I’m with the press and I’d like to interview…
To arrange an interview with one of us at Rice, you should contact Jade Boyd in Rice’s Media Relations department (+1-713-348-6778). If you are looking for a comment from Google, you should contact Nate Tyler .
Where can I get more information?
We’ve made a technical report available with more details.
Press coverage
New York Times, Slashdot, San Jose Mercury News, Houston Chronicle, The Motley Fool, TechWeb, and many others.
