The paper is worth reading. Most interesting are the details on the implementation of Google Desktop Search. They found:
- Google Desktop must be observing all outgoing network connections.
- Google Desktop performs packet analysis to identify HTTP proxy connections in addition to looking for direct connections to Google.
- The search requests did not need to originate from a web browser visiting Google.com.
- Integration is triggered by observing outgoing packets, and occurs after packets are received, but before they are given to the web browser or application.
At this point, Nielson et al. had already found the chink in the armor, that the request doesn't have to be from a web browser directly. They tried a few tricks to get Google Desktop Search to show local data inappropriately. And were successful.
- We found that the Google Desktop personal search engine contained serious security flaws that would allow a third party to read the search result summaries that are embedded in normal Google web searches by the local search engine. While an attacker would not be able to read the victims files directly, the search results often contain snippets of the file results that will be visible to the attacker.
Google Desktop Search's integration of the local search results into a Google web search was really clever. Ever since I saw it, I've been curious about the details of how it was implemented. This paper was an enjoyable read.
[via eWeek and InsideGoogle]
Update: Nikhil Bhatla (PM, Google Desktop Search) posts about the security patch on the official Google weblog.