Serious flaw in Google Desktop gets fix

Several flaws in the popular Google Desktop software could open PCs up to intruders and possible data theft, a security company has warned.

The search giant has released patches for the issues, which were reported by Watchfire in a paper published Wednesday (PDF and demonstration). One of the problems is a cross-site scripting flaw that could let an outsider look through files on a compromised machine.

Google Desktop applies the same technology found in Google's search engine to let users try to find items on their PC and on shared networked computers. The tool indexes and combs through e-mails, documents and files on the user's PC and stores Web pages as part of its approach.

Hackers could use cross-site scripting to manipulate Google Desktop's functionality for their own ends, said Danny Allan, director of security research at Watchfire. The desktop application's integration with Google Search, Google's public Internet search application, is a weak spot, he added. It means that the vulnerabilities found by Watchfire could have been exploited without the attack being detected by information protection systems, antivirus software and firewalls, he said.

Such an attack is different from traditional ones, because it relies on JavaScript code, rather than the insertion of binary code, to control Google Desktop. It uses the application remotely to search for confidential information, according to Watchfire's report.

That means that passwords and banking information stored either in computer files or in Web page history could be accessed remotely by the attacker, Allan said.

Watchfire notified Google on January 4 of three vulnerabilities and one architectural flaw in the application, Allan said. Google responded to the security company on February 1 and asked for a few weeks before Watchfire went public with the information. The search giant has issued a patch for the problems.

"A fix was developed quickly, and users are being automatically updated with the patch," Google said in a statement. "In addition, we have another layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future."

The search company recommends that people make sure they are running the most recent version of Google Desktop.

It does not appear that anyone actually took advantage of the vulnerabilities and made attacks on Google Desktop users, both Watchfire and Google said.

However, Google Desktop is still vulnerable to these cross-site scripting attacks, Allan said, because of the "poor architectural decision" to include a link from Google Web servers to the Google Desktop user's PC.

"The three vulnerabilities were fixed. We also recommended to Google that if there was not a link between Google.com and my machine, then (the hacker) would not be able to connect to my computer. We believe they should remove that link or give consumers a choice as to whether someone can connect from the public Internet to their computer," Allan said.

The link enables a feature that places "Desktop" as one of the choices above the Google home page search bar, alongside choices like "Images" and "News," once a user has downloaded Google Desktop. It allows Google Desktop users, no matter which browser they are in, to switch between searching the Internet and searching their computer from the Google home page, according to the Watchfire report.

"If another vulnerability is found within Google Desktop, then the same devastating things could happen," Allan said.

Allan likened the architectural link to the Internet to a swinging screen door. It's fine for it to swing out so that I can get out there, but it should not be allowed to swing back in, he said.