New Google Desktop Exploit Discovered

Another vulnerability in the Google Desktop search application has been discovered, similar but seperate to the ones discovered by Jim Ley and Netcraft. The discovery was made by Salvatore Aranzulla, an Italian journalist. The flaw allows attackers to target users of the Google Desktop application and modify the contents of search pages by injecting scripts located on external servers. Such cross site scripting attacks provide attackers with a means of obtaining information under the guise of a reputable domain.

Aranzulla has published details about the new vulnerability on his web site, where he includes some example exploits (Italian). He claims that inexperienced users may be susceptible to phishing attacks like these, while more experienced users may become suspicious due to the long URLs that are typically involved in exploiting cross site scripting vulnerabilities.

It is not clear whether Aranzulla notified Google before making his discovery public. As we previously reported, Jim Ley experienced difficulties when he tried to notify Google about a similar exploit he discovered more than two years ago. Conversely, a different vulnerability discovered by Netcraft last week, was closed within two days of being reported to Google.

The Google Desktop application is currently offered as a beta service. The tool allows you to use Google's familiar interface to find your email, files, web history and chats instantly. This level of power has raised some privacy concerns among users, particularly in light of the recent discoveries of vulnerabilities and the way in which it indexes files on shared PCs.