Security watchdog Watchfire has revealed a critical security flaw in Google's Desktop search application. The firm has demonstrated how the vulnerability can be exploited by hackers to steal highly confidential data from unsuspecting computers.
In simple terms, Google Desktop has a hole in it and, once uncorked by a hacker, out pours all the sensitive files stored on the affected PC for the hacker's consumption. This process can be used to discover passwords or bank details which can then be used to commit fraud.
Google has acted swiftly to patch the flaw, so anyone currently using the Google Desktop program is strongly advised to update to the newest version.
The flaw in the affected versions works by exploiting a vulnerability in the 'under' search parameter. This is a script that can be used by Google Desktop users to search only under certain directories. The hacker can exploit this parameter by tricking users into clicking a compromised Google link, after which the hacker will have stealthy control over Google Desktop's cache of files.
The Desktop search software was vulnerable due to the fact that the application links itself directly to the Google.com website - this link can be hijacked to produce the above results.
You can view Watchfire's online Flash video demonstration of the vulnerability on its website.