Google's PC search software is vulnerable to a variation on a little-known web-based attack called anti-DNS (Domain Name System) pinning, which could give an attacker access to any data indexed by Google Desktop, security researchers have warned.
This is the second security problem with the software reported this week. On Wednesday, researchers at Watchfire said they had found a flaw that could allow attackers to read files or run unauthorised software on systems running Google Desktop.
The new vulnerability could be exploited by attackers, who would first need to exploit a cross-site scripting flaw in the Google.com website, as with the Watchfire bug, said Robert Hansen, the independent security researcher who first reported the security hole. The consequences could be serious, he added. "All of the data on a Google desktop can now be siphoned off to an attacker's machine," he said.
Cross-site scripting flaws are common web server vulnerabilities that can be exploited to run unauthorised code within the victim's browser.
Hansen, who is chief executive of Sectheory.com, posted details of how Google Desktop data could be compromised on his blog.
Google said it was investigating Hansen's findings. "In addition, we recently added another layer of security checks to the latest version of Google Desktop to protect users from vulnerabilities related to web search integration in the future," the company said.
Anti-DNS pinning is an emerging area of security research understood by just a handful of researchers, said Jeremiah Grossman, chief technical officer at WhiteHat Security. The variation of this attack described by Hansen manipulates the way the browser works with the internet's DNS in order to trick the browser into sending information to an attacker's computer.
News of the attack comes as Google is trying to enter the desktop productivity market. On Thursday Google launched a suite of web-based collaboration software, called the Google Apps Premier Edition, which analysts say could become a competitor to Microsoft Office.