Researchers from a leading web application firm said today they have uncovered a major vulnerability in Google Desktop that could allow hackers to perform searches on a victim's computer and discover sensitive files.
The attack uses cross site scripting to deliver JavaScript from a vulnerable Google webpage to Google Desktop, Danny Allan, director of security research at Watchfire, told SCMagazine.com today. Watchfire reported the flaw to Google in January, and the internet giant patched it on Feb. 1.
Users, likely through social engineering, initially visit a Google webpage vulnerable to cross-site scripting, Allan explained. There, embedded JavaScript tells the victim’s browser to send a behind-the-scenes request to Google, which sends a request to the victim’s Google Desktop. Attached to the request is a malicious payload that permits an attacker to assume control of the application.
"Because of the integration between Google.com and Google Desktop, that is the way the malicious individual navigates onto (a victim’s) computer," Allan said. "To the victim, it’s a click."
Once the victim’s machine is compromised, an attacker can remotely perform searches and disable default settings, allowing him access to password-protected documents and archived secure websites, he said. The malicious individual also can force the victim to execute certain programs.
"The outcome of this is very serious," Allan said. "The ongoing danger is that more and more applications have very powerful features like this and more and more allow integration between the local computer and the internet."
Google said it was not aware of any users being impacted.
"A fix was developed quickly, and users are being automatically updated with the patch," Google spokesman Barry Schnitt said. "In addition, we have (added) another layer of security checks to the latest version of Google Desktop to protect users from similar vulnerabilities in the future."
Users are urged to update to the latest version of the application, Schnitt added.
Allan said the bug emphasizes the need for developers to build more secure applications and for anti-virus vendors to create solutions that defend against such attacks.
Click here to email reporter Dan Kaplan.