A serious security flaw was discovered in the Google Desktop Search application by a Rice University teacher and two students.
According to a report in the New York Times, “The glitch, which could permit an attacker to secretly search the contents of a personal computer via the Internet, is what computer scientists call a composition flaw – a security weakness that emerges when separate components interact.”
“When you put them together, out jumps a security flaw,” commented Dan Wallach, who is an assistant professor of computer science at Rice University in Houston, who, with two graduate students, Seth Fogarty and Seth Nielson, discovered the flaw last month. “These are subtle problems, and it takes a lot of experience to ferret out this kind of flaw,” Professor Wallach stated.
More from the New York Times:
“The Rice University researchers said that they had not yet examined Microsoft’s desktop search program, but noted that the service did not appear to integrate Web and local search results in the same manner as the Google tool.
The researchers said that the Google security weakness lay in the way that Google Desktop was designed to intercept outgoing network connections from the user’s computer.
The program looks for traffic that appears to be going to Google.com and then inserts results from a user’s hard disk for a particular search. They found that it was possible to trick the Google desktop search program into inserting those results into other Web pages where an attacker could read them.
An attack would require a user to visit the attacker’s Web site first, and any type of Web browser could make a user vulnerable. Google said there was no evidence that any such attacks had occurred.
The Rice group was able to create a Java program that makes network connections back to the computer from where it was downloaded and then make it appear as if it were asking for a search at Google.com. That was enough to fool the Google desktop software into providing the user’s search information. The program was able to do anything with the results, including transmitting them back to the attacking site.
“This began as a student project to study how Google Desktop worked and to see if there were any security flaws,” said Professor Wallach. “We started by wondering how Google did the local search integration. Once we figured out how it worked, it wasn’t too much extra work to break it.””
Read the New York Times article here.
Murdok | Breaking eBusiness News
Your source for investigative ebusiness reporting and breaking news.
