Googles PC search software is vulnerable to a variation on a little-known Web-based attack called anti-DNS pinning that could give an attacker access to any data indexed by Google Desktop, security researchers said this week. This is the second security problem reported this week for the software. On Wednesday, researchers at Watchfire said theyd found a flaw that could allow attackers to read files or run unauthorized software on systems running Google Desktop. As with Watchfires bug, attackers would first need to exploit a cross-site scripting flaw in the Google.com Web site for this latest attack to work, but the consequences could be serious, according to Robert Hansen, the independent security researcher who first reported the attack. "All of the data on a Google desktop can now be siphoned off to an attackers machine," he said.
Cross-site scripting flaws are common Web server vulnerabilities that can be exploited to run unauthorized code within the victims browser. Hansen, who is CEO of Sectheory.com, did not post proof of concept code for his attack, but he said that he has "tested every component of it, and it works." He has posted some details of how Google Desktop data could be compromised on his blog. Google said it was investigating Hansens findings