Flaws in Google desktop search
The Google Desktop Search is an indexing tool, currently in beta testing, designed to allow users fast, intuitive, searching for local files. The principle interface is provided through a local web server which supports an interface similar to Google.com’s normal web page. Indexing of local files occurs when the system is idle, and understands a number of common file types. A optional feature is that Google Desktop can integrate a short summary of a local search results with Google.com web searches. Desktop Search allows you to simultaneously send your query to two different programs and locations. One query goes to Google, which performs a standard GoogleWeb Search. A duplicate query goes to the Desktop Search application running on your computer, which searches the information the application has indexed for you. Desktop Search intercepts Google’s results page before you see it and adds your Desktop Search results just above your web results so you can see both at once. The integration is a local operation. It is done by some agent which is running locally on the machine that would intercept incoming Google result pages and integrate the results from local indexing. Because the Google Desktop application bases its decision to integrate strictly on network traffic, all that is required for an eavesdropper to obtain an integrated web page is to open a socket on the target computer and send an HTTP request to Google.com, either directly or through any server configured as a web proxy server. This is well within the capabilities of a Java applet, even when running with the restrictive “sandbox” security model. A Java applet, legally connecting to its origin server, can fool the Google Desktop service into integrating local search results into non-Google pages. Google says it has fixed the flaw. So download the latest version of Desktop Search. If you are using the older version of the tool then disable local search integration with web searches, then the attack would be completely defeated. This only requires deselecting a single checkbox on the "preferences” screen.