Google Desktop Flaw Disclosed, Fixed

A flaw discovered in Google Desktop Search last year could have opened up users to the risk of having their personal data compromised. However, the issue was fixed within weeks of its discovery.

Google says that it had no evidence the vulnerability was ever exploited. According to a statement by Massachusetts-based Watchfire, the security firm that discovered the flaw, an attacker would be able to gain access to sensitive data, and in some cases full system control.

Watchfire says the problem is due to the way Google Desktop fails to encode output that contains malicious or unexpected characters. The company also said that the issue can be found in about four out of every five Web applications.

"Application security vulnerabilities need to be taken seriously," Watchfire CTO Michael Weider said. "As the potential damage of a Cross Site Scripting attack against a desktop application with a Web interface is enormous, Web application security must be comprehensively evaluated and continually monitored."

Vulnerable PCs could be infected in several ways, including through e-mail attachments. Once in, the attacker could use Google Desktop search itself in order to find and access sensitive data.

Google Desktop automatically updates itself, and the flaw had been repaired as of February 1, according to Watchfire. However, there could be other attempts on cracking data within the application, including one for the link that Google places between Web and desktop information.

But the search company denied that any risk was present, as it had taken all steps necessary to remedy the issues brought up by the security firm.