Google has fixed a flaw in its new desktop search tool that could have let hackers rummage through any computer running the tool.
"We were made aware of this vulnerability with the Google Desktop Search software and have since fixed the problem so that all current and future users are secure,” according to a Google statement issued December 20.
Rice University researcher Dan Wallach and graduate students Seth Fogarty and Seth Neilson discovered the flaw in late November, finding the desktop search tool hunts traffic looking to go to Google but inserting results from a desktop tool user’s hard disk for particular searches, according to the New York Times.
“They managed to trick the Google desktop search program into inserting those results into other Web pages where an attacker could read them,” said CNET.com. “This would only work after a user had visited an attacker's Web site, upon which a Java program (as created by the Rice group) would be able to fool the Google desktop software into providing the user's search information.”
“When users visit the compromised site,” said PC World, “the applet reads their local search result summaries and sends them back to the attacker's server.”
A few days before the Google desktop search flaw was actually disclosed, Gartner Research began warning businesses to avoid the tool until “a more robust, enterprise-ready version” is available.
