Google Desktop flaw put users' personal files at risk

Flaw could have allowed hackers to access all the personal documents on a computer

Google has fixed a security flaw in the company's desktop search product that could have let hackers take control of a personal computer, but the security company that discovered the flaw says the design of the Google application could lead to similar threats in the future.

Google Desktop is a free application that searches a computer for e-mails, Web history and various files. Watchfire, a company that provides security analysis software, notified Google last month that the desktop application was vulnerable to a cross-site scripting attack, which places malicious code on a user's computer.

A computer running Google Desktop could have been exploited if a user clicked on an infected e-mail file or a Web site or RSS feed loaded with the attack, says Mike Weider, CTO of Watchfire.

The flaw was serious because it could have allowed hackers to access all the personal documents on a computer.

"I would definitely say by a large margin this is the most serious flaw we've discovered with Google or maybe any other Web application," Weider says.

Google fixed the error by early February, he says.

Google says there have been no reports of the vulnerability being exploited. It developed a patch to fix the security flaw and says each user's version of Google Desktop is being updated automatically.

"Google claims it happens automatically. It didn't for me and other people at Watchfire when we tried it," Weider says. "It definitely seems as though there are cases where it doesn't automatically update."

In a statement to media, Google says, "We have [added] another layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future. We have received no reports that this vulnerability was exploited. However, users should make sure they are running the latest version of Google Desktop by going to [Google's Web site] and downloading the latest version and installing it."

Weider says users could be made vulnerable again in the event another cross-site scripting method of attack is identified, because there is a connection between the Google Web site and desktop application.

According to Weider, Google could prevent these vulnerabilities in the future by giving users the ability to disconnect the desktop application from the Google Web site.

"You have offline applications like a search tool that will search your index, and you have online sites like Google.com. What this application does is create a linkage between the two, where you could search on Google.com and get results from your desktop," Weider says.

When asked whether it plans to give users the option of disconnecting the Web site and desktop application, Google did not answer and instead referred to a statement that does not mention the issue.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jon Brodkin

Network World
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?