Security researchers at
Watchfire have uncovered a vulnerability in
Google Desktop that could allow an attacker to steal confidential information and take control of a system.
Google has released an update for the software to patch the vulnerability, which relies on cross-site scripting techniques.
An attacker could exploit the flaw through a specially crafted web link containing JavaScript code.
When a user clicks on the link, the code is executed by the Google Desktop application, which then allows the attacker to perform searches on the infected computer.
This could lead to exposed passwords, social security numbers or other confidential information.
The vulnerability is caused by the fact that Google Desktop is linked to the Google.com service.
Watchfire also warned that current antivirus software does not protect against such attacks.
Online application security is a hot topic in the security industry.
Acunetix released a study last week in which it claimed that corporate websites contain an average of 66 security vulnerabilities in their online applications.
A
video demonstration of the Google Desktop flaw is available on the Watchfire
website.
Cross-site scripting attack could expose confidential info 