By BRIAN BERGSTEIN, AP Technology Writer
A potentially devastating hole in Google Inc.'s prevalent desktop
search product could have exposed personal files on users' computers
to data thieves. Google fixed the defect within weeks of being
informed about it and says it has no evidence the vulnerability was
exploited.
The flaw was uncovered late last year by Watchfire Corp., a
security-analysis provider. While the vulnerability exists in roughly
80 percent of Web applications, this problem appeared far more extreme
"given the sensitive nature of what Google Desktop is doing," said
Danny Allan, a researcher at Waltham, Mass.-based Watchfire.
Google's free desktop product, first released in 2004, has millions of
users and remains popular. Internet tracker Hitwise says visits to
http://desktop.google.com tripled in January.
The system lets users set Google's indexing and searching capabilities
loose on their own computers in addition to the Web. The service
offers a fast, easy way to find documents, e-mails, instant-messaging
transcripts, archived Web pages and other tidbits socked away on
PCs. A Google executive once described it as "the photographic memory
of your computer."
The Watchfire researchers discovered, however, that the setup was open
to something known as a cross-site scripting attack, which lets an
attacker place malicious code on a Google Desktop user's computer. The
PC could be infected a number of ways, including an infected e-mail
attachment.
From that instant, a hacker would have had free reign to use Google
Desktop to search the victim's machine -- or multiple compromised
machines at once -- and possibly to take full control of the computer,
according to Watchfire. Watchfire's founder and chief technical officer,
Mike Weider, said the attack would have gone undetected by firewalls or
antivirus software.
Watchfire said it reported the security hole to Google on Jan. 4 and
was assured Feb. 1 that the flaw had been fixed. Google spokesman
Barry Schnitt said the desktop search software gets automatically
updated, so users do not need to take any steps to protect themselves.
While this particular avenue for data theft has been shut down,
Watchfire contends that another one could emerge because Google
maintains a link between desktop and Web data -- a query on a computer
with Google Desktop can show search results from both realms.
"There's a high potential for this to happen again," Weider said.
However, Schnitt responded in an e-mail that Google has "taken many
steps to protect our users and mitigate such attacks."
"We've added an additional layer of security checks to prevent the
types of attacks pointed out by Watchfire and future possible attacks
through this vector as well," he wrote.
No matter whether such a threat re-emerges through Google, Allan
expects to see similar vulnerabilities increase overall, "as desktop
software and the Internet get more connected." As a result, he said,
antivirus vendors should develop techniques for detecting and blocking
such attacks.
Copyright 2007 The Associated Press.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. And, discuss this and other topics in our forum at
http://telecom-digest.org/forum (or)
http://telecom-digest.org/chat/index.html
For more news and headlines, please go to:
http://telecom-digest.org/td-extra/AP.html
Brian Bergstein, AP (ap@telecom-digest.org)