Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Google fixes Desktop security flaw

Google fixes Desktop security flaw

by Nikola Strahija on October 31st, 2004 The very first flaw in Google's Desktop Search product has been discovered, and now fixed, according to the company’s spokesperson. The JavaScript vulnerability allowed third party websites to view the results of searches made on your local hard drive.


It took Google four days to address the problem, and according to the Javascript expert who raised the alarm, it still hasn't been adequately patched. And, moreover, the vulnerability is over two years old.

Software developer Jim Ley, who maintains the comp.lang.javascript FAQ, was the first to announce the flaw. On Monday he mentioned it his weblog, but nobody had noticed. Ley's email message to [email protected] bounced, so he looked in vain for a security hotline number.

On Tuesday, though, he demonstrated a mastermind potential application of the bug: a phishing exploit that announced that Google was becoming a subscription service, and invited the victim to enter their credit card details. Still no response.

Google finally took notice after the vulnerability was posted on the Security Focus BugTraq mailing list. They couldn't explain why their email or phone contact for security alerts wasn’t working but seemed anxious to remove the phishing example.

"The fix they put in place is still flawed, it relies on special casing the vbscript, javascript and perlscript strings, meaning other language protocols are still at risk in IE with its multiple scripting language capability, said Ley.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »