Google: Security flaw is fixed

February 20, 2007 09:43 PM E-mail| |Comments ()| Text size +

A potentially devastating hole in Google's desktop search product could have exposed personal files on users' computers to data thieves.

Google fixed the defect within weeks of being informed about it and says it has no evidence the vulnerability was exploited.

The flaw was uncovered late last year by Watchfire Corp., a security-analysis provider in Waltham. While the vulnerability exists in roughly 80 percent of Web applications, this problem appeared far more extreme "given the sensitive nature of what Google Desktop is doing," said Danny Allan, a researcher at Watchfire.

Google's free desktop product, released in 2004, has millions of users. Internet tracker Hitwise says visits to http://desktop.google.com tripled in January.

The system lets users set Google's indexing and searching capabilities loose on their own computers in addition to the Web. The service offers a fast, easy way to find documents, e-mails, instant-messaging transcripts, archived Web pages, and other tidbits on PCs. A Google executive once described it as "the photographic memory of your computer."

The Watchfire researchers discovered, however, that the setup was open to something known as a cross-site scripting attack, which lets an attacker place malicious code on a Google Desktop user's computer. The PC could be infected a number of ways, including an infected e-mail attachment.

From that instant, a hacker would have had free reign to use Google Desktop to search the victim's machine and possibly to take full control of the computer, according to Watchfire. Watchfire's chief technical officer, Mike Weider, said the attack would have gone undetected by firewalls or antivirus software.

Watchfire said it reported the security hole to Google Jan. 4 and was assured Feb. 1 that the flaw had been fixed. Google spokesman Barry Schnitt said the desktop search software gets automatically updated, so users do not need to take any steps to protect themselves.

Watchfire contends another threat could emerge because Google maintains a link between desktop and Web data -- a query on a computer with Google Desktop can show search results from both realms.

Schnitt said via e-mail that Google has "taken many steps to protect our users and mitigate such attacks."
(AP)

Email this article

Invalid email address
Invalid email address

Sending your article

Your article has been sent.

« all business news updates
Col3