Researchers at Rice University have discovered what they say is a flaw in the beta version of Google's Desktop Search product that could allow third parties to access users' search result summaries, providing a sneak peek at part of the content of personal files.
A description of the flaw, which was discovered by Rice computer sciences professor Dan Wallach and two graduate students, was posted on the university's Computer Security Lab website late onSunday. The researchers labelled the glitch as "serious" and said it could allow attackers to read snippets of files embedded in Google's normal web searches by the local search engine.
Google was notified of the flaw and has fixed it in an update that is currently being rolled out through an auto-update feature, the company says.
The Rice researchers say users can check if they have the updated version by selecting the "about" icon in their Google Desktop Search task bar. If it says version number 121004, indicating 10 December 2004, or later, they are safe, the researchers say.
To be affected, a user would have to visit a website where an attacker has embedded a particular Java applet. The applet makes certain network connections that trick Google Desktop into integrating a user's local search results with results from an online search. When users visit the compromised site, the applet reads their local search result summaries and sends them back to the attacker's server.
Summaries from Google Desktop searches often contain snippets of content from personal files, and it is this content that the attacker is able to read, the researchers say.
Users on wireless networks can be attacked even if they are not visiting a compromised site, if the attacker tampers with the network connections being made by the user's web browser, the researchers say. By doing this, the attack could be injected into any other Web page.
Google released a beta version of its desktop search product in October, allowing users to search PC files, local email messages and archived chat sessions. It joined an industry stampede into the local search space, with AOL, Yahoo and Microsoft all driving their searches onto the desktop.
Other desktop search products are not believed to have the flaw, however, since Google's is the only one which seamlessly integrates local search results with those of online searches.