Searching for Vulnerabilities

In response to Simon Willison's comment on desktop search tools, the password issue has been concerning me for some time whilst using Google Desktop.

I've been using Google Desktop for a few months now, and use it mainly for the searching of Thunderbird and finding websites again. I've also added in the spider plug-in so I can easily search the Rails documentation. For these tasks, Google Desktop has been working great.

However, as Simon mentions, passwords are particularly easy to find stashed away at the bottom of your inbox. This was concerning me initially, but whether by complacency or analysis in the end I came to the conclusion that it wasn't too bad. I figure that if the site is insecure enough to send you your password in clear text, chances are it's either something that security isn't critical (mailing lists, for example) or is something like a forgotten password reminder - which (one hopes) you will change your password from immediately anyway.

In a sense, if you have any passwords sitting in your email that are more important, they aren't that important to you. Unless you host your own mail server, you don't know who could be peering through your mail. Email is not secure, and people shouldn't treat it as such.

As a side note, it's interesting to consider the role of search engines in some of the recent attacks - as we saw with the phpBB worm a few months ago, search engines are becoming more common tools for finding targets of vulnerabilities. Google Desktop, Spotlight, Copernic and the rest are going to bring this to a new level unless they are secured.

It's in cases such as this where you hit that old "Flexibility vs. Security" dichotomy that Zanchey bought up the other day. I was happy to see that Google Desktop's local server only listens on localhost, and even more happy to see it require a unique "session id" from the client in order for a search to work. I've heard unsubstantiated rumours that it is stored in the registry, however I couldn't find it (with my most cursory of glances) - for all our sake I hope it isn't.

Regardless, desktop search is going to be a hot topic for the security community to keep it's eyes sharply peeled on in the future.