Rice University Computer Scientists Find a Flaw in Google's New Desktop Search Program

R.A. Hettinga rah at shipwright.com
Mon Dec 20 19:10:11 PST 2004


<http://nytimes.com/2004/12/20/technology/20flaw.html?pagewanted=print&position=>

The New York Times

December 20, 2004

Rice University Computer Scientists Find a Flaw in Google's New Desktop
Search Program
 By JOHN MARKOFF


AN FRANCISCO, Dec. 19 - A Rice University computer scientist and two of his
students have discovered a potentially serious security flaw in the desktop
search tool for personal computers that was recently distributed by  Google.

The glitch, which could permit an attacker to secretly search the contents
of a personal computer via the Internet, is what computer scientists call a
composition flaw - a security weakness that emerges when separate
components interact. "When you put them together, out jumps a security
flaw," said Dan Wallach, an assistant professor of computer science at Rice
in Houston, who, with two graduate students, Seth Fogarty and Seth Nielson,
discovered the flaw last month. "These are subtle problems, and it takes a
lot of experience to ferret out this kind of flaw," Professor Wallach said.

Google introduced a test version of the desktop search tool on Oct. 14, and
it can be downloaded at no cost. The program indexes material on a user's
local hard disk and then blends Web search results with local user
information like electronic mail, text documents and other files. The flaw
would permit a search to reveal only small portions of the files.

The way the software tool is designed, a user's queries, but no locally
stored information, is distributed via the Internet. But by reading user
queries sent to its search service, Google is able to place its AdWords
text advertisements next to the search results displayed in a user's
browser window.

In a statement over the weekend, the company said that it had been notified
of the flaw by the computer researchers in late November and had begun
distributing a new version of the desktop search engine that repairs the
potential security hole. Google's introduction of a desktop search tool has
touched off a competition with its closest Web search service competitors,
Microsoft and  Yahoo.

 Microsoft made a test version of its desktop search tool available last
Monday as part of its MSN toolbar suite, and Yahoo has said that it will
begin testing a similar search tool in January.

The Rice University researchers said that they had not yet examined
Microsoft's desktop search program, but noted that the service did not
appear to integrate Web and local search results in the same manner as the
Google tool.

The researchers said that the Google security weakness lay in the way that
Google Desktop was designed to intercept outgoing network connections from
the user's computer.

The program looks for traffic that appears to be going to Google.com and
then inserts results from a user's hard disk for a particular search. They
found that it was possible to trick the Google desktop search program into
inserting those results into other Web pages where an attacker could read
them.

 An attack would require a user to visit the attacker's Web site first, and
any type of Web browser could make a user vulnerable. Google said there was
no evidence that any such attacks had occurred.

 The Rice group was able to create a Java program that makes network
connections back to the computer from where it was downloaded and then make
it appear as if it were asking for a search at Google.com. That was enough
to fool the Google desktop software into providing the user's search
information. The program was able to do anything with the results,
including transmitting them back to the attacking site.

"This began as a student project to study how Google Desktop worked and to
see if there were any security flaws," said Professor Wallach. "We started
by wondering how Google did the local search integration. Once we figured
out how it worked, it wasn't too much extra work to break it."

The researchers said that Google had responded quickly to their alert last
month and had begun releasing a corrected version of the program on Dec. 10.

 The Google desktop program includes an update feature that permits the
company to automatically install new versions of the program on users'
computers without user intervention or knowledge.

The Rice researchers said that it was possible for users to tell if their
version of the Google program had been patched by examining the "about"
page from the Google Desktop icon in the browser task bar. Version numbers
above 121,004 indicate a newer edition of the program.

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'





More information about the cypherpunks-legacy mailing list