Monday, December 20, 2004

Paper on cracking Google Desktop Search

Seth Nielson, Seth Fogarty, and Dan Wallach released a paper, "Attacks on Local Search Tools"(PDF), that discusses in detail the widely reported security flaw in Google Desktop Search.

The paper is worth reading. Most interesting are the details on the implementation of Google Desktop Search. They found:
  1. Google Desktop must be observing all outgoing network connections.
  2. Google Desktop performs packet analysis to identify HTTP proxy connections in addition to looking for direct connections to Google.
  3. The search requests did not need to originate from a web browser visiting
  4. Integration is triggered by observing outgoing packets, and occurs after packets are received, but before they are given to the web browser or application.
This is pretty cool. Google Desktop Search integrates local results into a Google search by intercepting the request out to Google and rewriting it before it gets to the web browser.

At this point, Nielson et al. had already found the chink in the armor, that the request doesn't have to be from a web browser directly. They tried a few tricks to get Google Desktop Search to show local data inappropriately. And were successful.
    We found that the Google Desktop personal search engine contained serious security flaws that would allow a third party to read the search result summaries that are embedded in normal Google web searches by the local search engine. While an attacker would not be able to read the victim’s files directly, the search results often contain snippets of the file results that will be visible to the attacker.
Doh. No need to panic though. Google has already patched the problem and automatically updated everyone.

Google Desktop Search's integration of the local search results into a Google web search was really clever. Ever since I saw it, I've been curious about the details of how it was implemented. This paper was an enjoyable read.

[via eWeek and InsideGoogle]

Update: Nikhil Bhatla (PM, Google Desktop Search) posts about the security patch on the official Google weblog.

1 comment:

Amit Agarwal said...

Thanks for this pointing to this interesting read.

The Indian Blogger