Google's PC search software is vulnerable to a variation on a little-known Web-based attack called anti-DNS pinning that could give an attacker access to any data indexed by Google Desktop, security researchers said this week. This is the second security problem reported this week for the software. On Wednesday, researchers at Watchfire said they'd found a flaw that could allow attackers to read files or run unauthorized software on systems running Google Desktop. As with Watchfire's bug, attackers would first need to exploit a cross-site scripting flaw in the Google.com Web site for this latest attack to work, but the consequences could be serious, according to Robert Hansen, the independent security researcher who first reported the attack. "All of the data on a Google desktop can now be siphoned off to an attacker's machine," he said.
Cross-site scripting flaws are common Web server vulnerabilities that can be exploited to run unauthorized code within the victim's browser. Hansen, who is CEO of Sectheory.com, did not post proof of concept code for his attack, but he said that he has "tested every component of it, and it works." He has posted some details of how Google Desktop data could be compromised on his blog. Google said it was investigating Hansen's findings