Testers expose Google Desktop security bug

Security experts have uncovered a vulnerability in Google Desktop which could enable a malicious hacker to achieve remote access to sensitive data and, in some conditions, full system control.

Web application security firm Watchfire claims to have uncovered a vulnerability which highlights the danger of integration between desktop and web-based applications.

The flaw could allow an attacker to escalate privileges by crossing from the web environment to the desktop application environment.

The vulnerability centres on integration between the Google.com site and Google Desktop, and Google Desktop's failure properly to encode output containing malicious or unexpected characters, the security firm said.

In the attack, researchers used malicious logic to act as a parasite, using JavaScript code to control Google Desktop functionality.

An attacker could evade current information protection systems, such as antivirus software and firewalls, allowing them to covertly hijack sensitive local information.

Google has issued a patch which mitigates the immediate risk of the attack, Watchfire said.

"Application security vulnerabilities need to be taken seriously," said Michael Weider, founder and chief technology officer at Watchfire.

"As the potential damage of a cross-site scripting attack against a desktop application with a web interface is enormous, web application security must be comprehensively evaluated and continually monitored.

"Industry leaders like Google continue to make strides in security but vulnerabilities can surface due to the dynamic nature of applications."