Google Desktop Search ignores Preferences

[Elliott Bäck <ecb29 () cornell edu>]

Overview:
-----------------------------------------
Product: Google Desktop Search
Versions: Beta 100504 (Current version)
   Date: 11-13-2004
   Risk: Low (Local disclosure)

Product Information:
-----------------------------------------
From the application, "Google Desktop Search application indexes and 
stores versions of your files and other computer activity, such as 
email, chats, and web history. These versions may also be mixed with 
your Web search results to produce results pages for you that integrate 
relevant content from your computer and information from the Web.  Your 
computer's content is not made accessible to Google or anyone else 
without your explicit permission."

Vulnerabilities:
-----------------------------------------
Although one of the features of Google Desktop Search is to archive web 
history in its index for future searching, unchecking the preference to 
archive "Web History" and saving the preference does not clear the web 
history from the index.  It only prevents the archiving of future 
web-history.  It is therefore possible for any other user on the machine 
to reset the preferences and recover all archived web history, or probe 
the index file (in theory).

Workaround:
-----------------------------------------
Manually delete the index or the portions of Web History through the 
Google interfaces that are considered sensitive.

Vendor:
-----------------------------------------
Google support has been notified of this minor issue.

Thanks,
Elliott C. Bäck
www.elliottback.com