[转载]Attacks on Local Searching Tools

信息来源：邪恶八进制信息安全团队（www.eviloctal.com）

The Google Desktop Search is an indexing tool, currently in beta testing, designed to allow users fast, intuitive, searching for local files. The principle interface is provided through a local web server which supports an interface similar to Google.com’s normal web page. Indexing of local files occurs when the system is idle, and understands a number of common file types. A optional feature is that Google Desktop can integrate a short summary of a local search results with Google.com web searches. This summary includes 30-40 character snippets of local files. In our research we searched for a vulnerability that would release private local data to an unauthorized remote entity. Our focus was on the small snippets of local data that the integration feature handled. We realized that this feature was combining local private data with remote public data in a possibly unsafe environment. We present two different attacks that exploit this vulnerability.