Desktop Google Finds Holes

Google's desktop search software is so good that it exposes vulnerabilities on your computer that you didn't know about.

Last month, Google released a beta version of its desktop search software: Google Desktop Search. Install it on your Windows machine, and it creates a searchable index of your data files, including word processing files, spreadsheets, presentations, e-mail messages, cached Web pages and chat sessions. It's a great idea. Windows' searching capability has always been mediocre, and Google fixes the problem nicely.

There are some security issues, though. The problem is that GDS indexes and finds documents that you may prefer not be found. For example, GDS searches your browser's cache. This allows it to find old Web pages you've visited, including online banking summaries, personal messages sent from Web e-mail programs and password-protected personal Web pages.

GDS can also retrieve encrypted files. No, it doesn't break the encryption or save a copy of the key. However, it searches the Windows cache, which can bypass some encryption programs entirely. And if you install the program on a computer with multiple users, you can search documents and Web pages for all users.

GDS isn't doing anything wrong; it's indexing and searching documents just as it's supposed to. The vulnerabilities are due to the design of Internet Explorer, Opera, Firefox, PGP and other programs.

First, Web browsers should not store SSL-encrypted pages or pages with personal e-mail. If they do store them, they should at least ask the user first.

Second, an encryption program that leaves copies of decrypted files in the cache is poorly designed. Those files are there whether or not GDS searches for them.

Third, GDS' ability to search files and Web pages of multiple users on a computer received a lot of press when it was first discovered. This is a complete nonissue. You have to be an administrator on the machine to do this, which gives you access to everyone's files anyway.

Some people blame Google for these problems and suggest, wrongly, that Google fix them. What if Google were to bow to public pressure and modify GDS to avoid showing confidential information? The underlying problems would remain: The private Web pages would still be in the browser's cache; the encryption program would still be leaving copies of the plain-text files in the operating system's cache; and the administrator could still eavesdrop on anyone's computer to which he or she has access. The only thing that would have changed is that these vulnerabilities once again would be hidden from the average computer user.

In the end, this can only harm security.

GDS is very good at searching. It's so good that it exposes vulnerabilities on your computer that you didn't know about. And now that you know about them, pressure your software vendors to fix them. Don't shoot the messenger.


This article originally appeared in eWeek.

Posted on November 29, 2004 at 11:15 AM • 15 Comments

Comments

Dobrica PavlinusicNovember 29, 2004 2:39 PM

Google desktop search has option not to crawl https sites. That would keep sensitive information away from search results. I think (and currently I don't have easy vay to verify it) that it's doesn't crawl secure sites by default.

DanNovember 29, 2004 5:46 PM

Debrica, that may be the case, but the point being made is more toward the problems already existing. People are pointing toward Google's software as being a security issue, where the real problems are the underlying systems that insecurely keep cached data.

brianNovember 29, 2004 7:11 PM

Exactly. Google's software just indexes all of the files it finds. It would be ridiculous to expect Google to know which files are OK to index and which files are the "secure" ones for every possible application.

If Google were to "fix" the problem, it could open yet another security hole; Google's "skip list" would be a roadmap to very information they would be trying to "protect". They would have to update their product for any new applications that leave personal data exposed on disk, or else it might be "compromised" by GDS.

The vulnerabilities may, as Bruce said, again be hidden from the average user, but there will be an up-to-date checklist for anyone who's looking.

JojoNovember 29, 2004 8:19 PM

You can keep HTTPS pages (like banking or financial info) from going into the TIF cache.

Just go to Internet Options under Security heading and make sure "Do not save encrypted pages to disk" is turned on.

Of course, this option isn't easy to find for the average user. But then nothing is really easy to find in Windows with so many options scattered about haphazardly, that even experienced people have difficulty tracking them all. This is a consequence of band-aiding updates upon updates on top of a poor initial OS design. Windows needs to be rewritten from the ground up!

Jean-Marc DELATRENovember 30, 2004 2:51 AM

Just about this part of Bruce's article:
START QUOTE
Third, GDS' ability to search files and Web pages of multiple users on a computer received a lot of press when it was first discovered. This is a complete nonissue. You have to be an administrator on the machine to do this, which gives you access to everyone's files anyway.
END QUOTE

Dunno what version you tested Bruce (if several), but the beta I tested forces the user to install the package with an administrative account (so far, why not), but the actual issue is that once installed, GDS requires that it must be ran by the same user who did the installation...IOW with the same administrative account!
This is of course very bad practice, but also makes the abovementioned issue always true.
Anyway, I sent feedback on this to Google, so maybe the version you tested was fixed ;-)

Kjetil JørgensenNovember 30, 2004 3:05 AM

Ideally:

- Browsers should adhere to http-headers telling them not to cache web-objects
- content authors/providers should be aware of which pages contain sensitive data, and instruct the http-server to tell http-clients not to cache the content
- Users should not have to worry about what's cached or not.

That said, I'm sure that most content-providers/authors don't instruct browsers not to cache sensitive data, nor am I certain that all browsers adhere to the relevant meta-data telling them not to cache. So some form of black/white-listing (deciding from various criteria, SSL/TLS-encryption, presence of certain http or html headers, etc.), would probably make a good browser-feature.

Dirk WetterNovember 30, 2004 4:29 AM

The title of the article is wrong IMHO. GDS is just giving something into people's hand which every security consultant could have achieved by other means. Sarcastically speaking: If it's really so good at it, maybe it should be included in future forensic tool kits.

I oppose to the statement that "it can only harm security". It's the old battle between making bugs public and forcing vendors to fix their issues or not to reveal it.

Well... I agree that this might not belong into everybody's hand. But it makes people aware of what is possible. Awareness with respect to security issues is what a lot of people are missing nowadays. Partly through misleading marketing, partly because technical solutions put their emphasis on ease of use instead on security and enlightment of their users.

FredNovember 30, 2004 10:31 AM

Personally I think that the problem is more subtle. It's sure that the basic of GDS is well archived, working and helpfull. It's sure that basically GDS is indexing already existing files on a desktop. It's sure that many problems are due to other applications' misconfiguration or bad development practices. But other questions are rising. Check out these 2 old weblogs entries:

[http://weblogs.asp.net/francip/archive/2004/10/19/244656.aspx]

[And]
[http://radio.weblogs.com/0140770/2004/10/16.html]

Is GDS free of critics? Personally I'm not sure.

Clive RobinsonDecember 1, 2004 3:42 AM

Just to echo Dan's point, the underlying problem is the operating system. When Microsoft started on New Technology, the lead designer wanted to make "A better Unix than Unix".

A nice objective to go for, however MS had too much invested in "MS-DOS" and "16 bit Windows" so the OS had to be able to support 99% of the legacy software without breaking it. Due to the complexity of this and the limited resources of the time NT started to develop an "all in one basket" approach which might originally have had clear interfaces within it but they quickly became blured and out of sight.

Another problem was the "single user" attitude, that the Personal Computer engendered that got carried forward into NT (remember the old joke about NT being C2 secure provided there was no floppy and network connected).

Untill recently MS had no incentive to sort out the mess NT had become, it was full steam ahead with bells and whistles. The result was that security was all but ignored so much so that in versions of NT it was not possible to know that a process was actually running on the machine if the process decided not to broadcast it was there.

Was this MS's fault (partly) but you need to remeber that companies who put the effort into security usually went out of business as their products did not develope at the speed users expected them to. The message was clear to most organisations "security does not pay in the market place" so they activly avoided it.

The result we have an OS that still tries to support 20 year old applications that where designed for an insecure, resource limited, single user, single tasking, 16Bit OS...

Sorting it out is a bit like the old joke about the farmer being asked the way to somewhere, after some carefull thought he replies "If I was you I wouldn't start from here". Unfortunatly MS does not have this option the market place won't let it start from scratch.

It has becom fairly clear that Business is happy with XP and 2000/2003 and has no intention of upgrading any time within the next five years. MS needs a very large pile of cash going through the door just to keep the lights on.

MS have a real problem (and so do we all) put simply,

1. It's OS's have gone as far as it's main
custommers want,
2. It gets a lot of bad publicity about the
OS's and their security,
3. The market says security does not pay,
4. There are several non MS OS's available
for nothing, some of which have a lot less
in the way of security issues,
5. The functionality of non MS application
software (some of it free) has the features
most people want and used only to get from MS,
6. MS's need for cash each year exceeds the GDP
of a hundred or so countries.

This is a significant problem for MS and us as consumers in the market place. I am not sure where MS is going to go but I would expect to see,

A. More FUD
B. More litigation by proxie
C. More direct litigation
D. More preasure on law makers world wide
for new laws for things like patents,
copyright, reverse engineering etc.
E. Other "protective" measures such as the
"Trusted Computing" initiatives.

None of which are good for the market place or inovation.

Mad as it might be to some people we need to support MS to get security into their OS's and we need to convince the market place that security does need to be there and payed for.

In many ways security is like the roads we drive on, if roads are either not there or of poor quality we go nowhere slowly and are horizons are very limited.

We generally pay for roads through the "commons" ie central and regional taxation, unfortunatly there is no mechanisum like this in place for software security.

Francois KashyDecember 1, 2004 12:20 PM

It's true that the underlying OS and software are the sources of these security issues. It seems to me that GDS presents it's own inherent security questions too. Now I could be wrong about all of this, I haven't investigated GDS at all. But just knowing how it operates presents three obvious issues. If it runs as a service or task with administrative priviliges, it's an attractive target. It's also a network target (it connects back to google.com). Last, it saves an index of everything on the system - how secure is that index?

MikeDecember 19, 2004 3:28 PM

No. Google is a security hole.

Try this:
1) Let Google Index your email
2) Delete an email from your exchange server
3) Search for that email.

Result:
Its been deleted from exchange, and the only cache on your system which still has it is Google Desktop Search.

This is a blatant violation of end-user trust. The user deleted email, and expected it gone. But Google hangs onto it.

What ever happened to "do no evil?"

loboMay 10, 2006 9:14 PM

All of these are 2004. Our security staff tells us that using Google Desktop results in the information being stored on a google server (somewhere) and therefore is a security violation. They quote Gartner on this.
Have you heard of this?

Ross PresserMay 17, 2007 12:38 PM

lobo: GDS will only save data on Google's servers if you enable the "Search across computers" option.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..