« Bookmarklets in print
Some people are never happy, part 2 »

My impressions of Google Desktop Search

Google Desktop Search is useful enough for me to keep it installed, but I wouldn't say that it works well.

Functionality

  • The file I'm looking for is often missing from Google Desktop Search's index. Even the filename is missing. I can't tell if it decided to skip the file because of its extension, contents, location, or changed-on date. Sometimes touching the file gets it indexed, but sometimes it doesn't.
  • It "caches" old versions of files often enough to take up disk space unnecessarily, but not often enough that I can rely on it for a revision history when I break something.
  • Since Google Desktop Search is slower than www.google.com, leaving "Show Desktop Search results on Google Web Search result pages" checked makes it slow down web searches.
  • It gets much slower if I add num=100 to the URLs. A search with num=100 usually takes 3 seconds. This would be ok if it streamed the results, but I just don't see anything for 3 seconds. (There's no UI for adding num=100, so it's not really fair to complain.)

Security

  • "Show Desktop Search results on Google Web Search result pages", which is checked by default, elevates any XSS hole in www.google.com to a read-my-files hole.
  • Google Desktop Search uses an interesting scheme to mitigate XSS and CSRF holes: it includes a hash in every URL, even the root. The hash includes the path and sometimes includes the query parameters. If the hash is missing or doesn't match, it returns "Invalid Request".
  • Clicking a link to an .exe file in search results runs it without any warning.
  • The web site doesn't mention the current version number. The program doesn't have a "Check for upgrades" link, and if checks automatically, it makes no indication of that fact.
  • Any web page can detect whether you have Google Desktop Search running by loading an image (or perhaps any URL) from http://127.0.0.1:4664/.
  • The index is stored in a predictable location. "File upload holes", which let sites read your files if they know the filenames, are common in web browsers. File upload holes that require no user interaction are usually fixed quickly. But file upload holes that do require user interaction are not always fixed quickly. Two file upload holes requiring user interaction that I reported in 2000 are still present in IE and Firefox.

This entry was posted on Friday, October 22nd, 2004 at 3:38 am and is filed under Google, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

7 Responses to “My impressions of Google Desktop Search”

  1. Jez Says:
    October 22nd, 2004 at 6:58 am

    Can you expand on this a little:

    Any web page can detect whether you have Google Desktop Search running by loading an image (or perhaps any URL) from http://127.0.0.1:4664/.

    ?

    Cheers.

  2. Michael Says:
    October 22nd, 2004 at 7:22 am

    I find the Desktop Search is not as useful because of the inability to add new file types to index such as cfm, prg, and sql files.

    Another free product that takes longer to display search results than the google product is Copernic. Their web site is at http://www.copernic.com

  3. Jeff Walden Says:
    October 22nd, 2004 at 2:22 pm

    >Any web page can detect whether you have Google Desktop Search running by loading an image (or perhaps any URL) from http://127.0.0.1:4664/

    I’ll take a shot at this. It’s easy enough to load an image from a certain location without really letting the viewer know it:

    <img src=”some-normal-location” width=”1″ height=”1″ id=”some-id”>

    From here, Javascript can switch the normal image with a faulty one. It can even determine whether an image loaded or not:

    function noLoad() { did_not_load = true; }

    var badImage = new Image();
    badImage.src = “http://127.0.0.1:4664/“;
    var myImg = document.getElementById(‘some-id’);
    myImg.onerror = noLoad;
    myImg.src = badImage.src;

    if (did_not_load)
    document.write(“Download Google Desktop!”);
    else
    document.write(“Welcome, Google Desktop user!”);

    This may not seem particularly bad, and in fact it may not be (I’m not the security expert here), but it is revealing more information to the website than it should have.

    Note, however, that this doesn’t really apply only to Google Desktop users — it applies to the users of any programs that run a mini-web server on port 4664. (This isn’t to say that Google Desktop may not be the only one, however — I don’t know if any other such programs exist.)

  4. Jesse Ruderman Says:
    October 22nd, 2004 at 8:02 pm

    Another annoyance: the indexer locks the file while indexing it, so if I try to save a file two two seconds apart, I get an error the second time. Does Windows give programs a way to read a file without locking it, such that it *loses* if another program tries to write to the same file before it’s done reading?

  5. ayan Says:
    October 24th, 2004 at 1:58 am

    Can you pls temm me how much space does google consume for saving he cached versions? And does it make the compuet slow?

  6. Jesse Ruderman Says:
    October 24th, 2004 at 2:01 am

    It refused to install until I had 1 GB free, but it only uses 400 MB. My hard drive stores about 40 GB but I don’t know how much of that is searchable text files.

  7. Hasan Dakheli Says:
    October 26th, 2004 at 1:05 am

    Hi,
    Does anyone know how GoogleDesktop manages to search SO FAST, even for phrases like
    “is is is” ?