According to a report in Associated Press (AP), Google has gone and quietly fixed a ‘potentially critical’ flaw in its Desktop application that could have exposed personal files on users’ computers, and that was initially brought to Google’s notice by security analysis provider, Watchfire Corp.
Google says there is no evidence to show that the vulnerability has been exploited in any way.
Google Desktop, first released in 2004, was described by one Google executive as, ‘the photographic memory of one’s computer’. The application offers a quick easy way to find documents, emails, IM transcripts, and archived Web pages locked on users’ PCs.
Watchfire researchers, under the guidance of Founder and Chief Technical Officer, Mike Weider, discovered that the application, however, is vulnerable to what is called a cross-site scripting attack, wherein an attacker plants malicious code on the computer of a Google Desktop user, and thereon gets free reign in using Google Desktop to search the victim’s computer or a couple of computers to grab complete control of the affected machine/s. Besides, such an attack has the potential to go unnoticed by firewalls or antivirus softwares.
Watchfire sources say they reported the security hole to Google on Jan 4, and were assured on Feb 1 that the flaw had been fixed.
Now that one avenue for data theft has been effectively sealed, Watchfire still cautions that another avenue might emerge as Google maintains links between desktop and Web data.
While Weider contends there is a high potential for such a thing to happen, Google spokesperson, Barry Schnitt, maintains Google has taken several steps to protect its users and mitigate such attacks. He adds that an an additional layer of security checks has been introduced in order to prevent the types of attacks as pointed out by Watchfire Corp.