Google Desktop Search ignores Preferences

From: Elliott Bäck (ecb29_at_cornell.edu)
Date: 11/14/04

  • Next message: Berend-Jan Wever: "Skype callto:// BoF technical details"
    Date: Sun, 14 Nov 2004 02:09:16 -0500
    To: bugtraq@securityfocus.com
    
    

    Overview:
    -----------------------------------------
     Product: Google Desktop Search
    Versions: Beta 100504 (Current version)
        Date: 11-13-2004
        Risk: Low (Local disclosure)

    Product Information:
    -----------------------------------------
     From the application, "Google Desktop Search application indexes and
    stores versions of your files and other computer activity, such as
    email, chats, and web history. These versions may also be mixed with
    your Web search results to produce results pages for you that integrate
    relevant content from your computer and information from the Web. Your
    computer's content is not made accessible to Google or anyone else
    without your explicit permission."

    Vulnerabilities:
    -----------------------------------------
    Although one of the features of Google Desktop Search is to archive web
    history in its index for future searching, unchecking the preference to
    archive "Web History" and saving the preference does not clear the web
    history from the index. It only prevents the archiving of future
    web-history. It is therefore possible for any other user on the machine
    to reset the preferences and recover all archived web history, or probe
    the index file (in theory).

    Workaround:
    -----------------------------------------
    Manually delete the index or the portions of Web History through the
    Google interfaces that are considered sensitive.

    Vendor:
    -----------------------------------------
    Google support has been notified of this minor issue.

    Thanks,
    Elliott C. Bäck
    www.elliottback.com


  • Next message: Berend-Jan Wever: "Skype callto:// BoF technical details"