Security hole found in Google desktop search

Researchers at Rice University have discovered what they say is a flaw in the beta version of Google's Desktop Search product that could allow third parties to access users' search result summaries, providing a sneak peek at part of the content of personal files.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

A description of the flaw, which was discovered by Rice computer sciences professor Dan Wallach and two graduate students, was posted on the university's Computer Security Lab Web site late Sunday. The researchers labelled the glitch as "serious" and said it could allow attackers to read snippets of files embedded in Google's normal Web searches by the local search engine.

Google was notified of the flaw and has fixed it in an update that is currently being rolled out through an auto-update feature, the company said Monday.

The Rice researchers said users can check if they have the updated version by selecting the "about" icon in their Google Desktop Search task bar. If it says version number 121004, indicating Dec. 10, 2004, or later, they are safe, the researchers said.

To be affected, a user would have to visit a Web site where an attacker has embedded a particular Java applet. The applet makes certain network connections that trick Google Desktop into integrating a user's local search results with results from an online search. When users visit the compromised site, the applet reads their local search result summaries and sends them back to the attacker's server, they said.

Summaries from Google Desktop searches often contain snippets of content from personal files, and it is this content that the attacker is able to read, the researchers said.

Users on wireless networks can be attacked even if they are not visiting a compromised site, if the attacker tampers with the network connections being made by the user's Web browser, the researchers said. By doing this, the attack could be injected into any other Web page, they said.

Google released a beta version of its desktop search product in October, allowing users to search PC files, local e-mail messages, and archived chat sessions. It joined an industry stampede into the local search space, with America Online (AOL), Yahoo, and Microsoft all driving their searches onto the desktop.

Other desktop search products are not believed to have the flaw, however, since Google's is the only one which seamlessly integrates local search results with those of online searches, the researchers said.