A security flaw found late last year in Google Desktop was quickly patched, but the company that discovered it says the popular application’s mix of Web and private hard drive searches might still be risky.
Google Desktop, which uses Google search technology to scan PC hard drives as well as the Web, could be hacked by someone using a cross-scripting attack, according to a report issued by Watchfire, which discovered the hole last autumn.
A savvy hacker could surreptitiously achieve “not only remote, persistent access to sensitive data, but full system control as well,” warned Watchfire.
Given Time to Fix the Flaw
Watchfire found the problem in October 2006 and alerted Google in January, Watchfire Chief Technology Officer Mike Weider told TechNewsWorld.
“They then fixed it in February and now here we are publishing this to the public,” said Weider. Watchfire purposely delayed announcing its discovery, and coordinated the announcement to coincide with Google’s report of a fix for the problem, because it would be “irresponsible to announce a major hole in Google Desktop” without first allowing Google to create a solution, he added.
However, while Google has plugged the gap through which thieves could steal private information using the increasingly popular hacker method of cross-site scripting, Weider remains concerned that Google Desktop does not offer users a way to prevent simultaneous searching of their own computers and the Web.
Mixing Public With Private
“It does a query to Google Desktop and adds those results to ones from Google.com,” he explained. “It’s that interaction that creates a vulnerability.” Google should give users the option to prevent Desktop from simultaneously searching the Web, Weider suggested, but he understands why it hasn’t.
“I think it has functional benefits to the product,” said Weider, who acknowledged the feature is “nice” to use. The matter appears to be a “classic compromise” between good security and popular functionality, he noted.
“Watchfire notified us of this potential vulnerability, which requires an attacker to first find and attack a vulnerability in Google.com,” Google spokesperson Barry Schnitt told TechNewsWorld. ” A fix was developed quickly and users are being automatically updated with the patch. In addition, we have another layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future.
“We have received no reports that this vulnerability was exploited,” Schnitt continued. “However, users should make sure they are running the latest version of Google Desktop by going to desktop.google.com and downloading the latest version and installing it.”
The Wave of the Future?
The situation “clearly emphasizes the danger of integration between desktop applications and Web-based applications as an aperture for a malicious attacker to escalate his/her privileges by crossing from the Web environment to the desktop application environment,” according to Watchfire.
Google Desktop “in and of itself is an interesting proposition” from a security standpoint, Craig Schmugar, threat research manager for McAfee Avert Labs, told TechNewsWorld. “There certainly are security concerns” with Google Desktop “even beyond this particular vulnerability,” he added. “Just the notion of data integrity and data loss … there are certainly additional concerns about what you should be running on your machine and how that application needs be secured.”
Even though using Google Desktop might be somewhat risky, Weider said he likes it. “Google, to its credit, has built a great product and I’m going to continue using it,” he declared.
In general, as people and companies embrace Web 2.0’s interactivity, more of these types of problems are likely to surface. “We are likely to hear more of this especially around Web 2.0 as end user ability to create content for Web sites opens up this whole world,” Schmugar predicted.
“From what we’ve seen, Web application security is one of the most critical issues facing companies in 2007,” Weider concluded.