Google Desktop Flaw

A new version of Google Desktop is available about one-month after Google was notified of a vulnerability in the desktop search application. Watchfire, a web application security company, notified Google about the loop hole on January 4th, 2007 and Google was able to make an updated version available on February 1st, 2007. Existing Google Desktop users do not need to worry about downloading and installing the new version because the software will automatically update itself.

The exploit comes in the the form of a cross-site scripting (XSS) attack that could allow a hacker to find private documents and even take control of the computer. A user’s computer can get hacked in multiple ways, including email attachments. Once the victim is hacked, the attacker can use Google Desktop to find the following information:

  • Sensitive information: Search for the terms ’confidential’ or ’top secret’.
  • Password theft: Search for ’username’ or ’password’ keywords and extract authentication information from mails/files.
  • Bank information: Search for bank keywords and find Bank Web pages Google Desktop indexed, along with sensitive information.
  • Track user activities: Google Desktop’s “Timeline View” option presents an extensive [chronological] log of files edited by the victim and Web sites visited, along with cached versions of both.

What’s even less reassuring is that Watchfire said four out of every five web applications suffer from the same vulnerability. Of course, Watchfire is a security company for web applications so they will definitely try and promote their services when opportunities arise, but it really makes you wonder how safe your information is.

If you want to read all of the details about how this works and how hackers can take advantage of searching your computer just checkout the whitepaper Watchfire produced on the vulnerability. I read through it and it was surprisingly interesting for being a whitepaper. Normally they are so boring that I can’t make it through the first page, but with all of the screenshots they use to assist in the explanation it really helps to convey what they are talking about. So if you’re bored one night and you’re a true geek, you may find this to be an enjoyable (yet informative) read.

Source: Google Blogoscoped, BetaNews, and MSN