According to a report posted to the Bugtraq Security Focus list on Wednesday, Google's new Desktop Search tool did not prevent a hacker from inserting JavaScript, a programming language, into the Web address of its page image, or logo. That vulnerability could have allowed any rogue third party to change the appearance of Google's Web page to ask for personal data such as credit card numbers from its visitors, what's known as a phishing scam, according to the warning.
Mountain View, Calif.-based Google said it has fixed the problem.
"Google was recently alerted to a potential security vulnerability affecting users of our Web site," a company representative said. "We have since fixed this vulnerability, and all current and future Google.com users are protected."
The warning came only a week after Google released its newest Web search product--a tool to search the files on a PC alongside Web pages. Security experts have scrutinized the technology, with some interesting finds. Last week, security consultant Richard Smith found clues that could point to a coming instant chat client from the search giant.
Jim Ley, who runs a Web log, posted the warning about Google's script-insertion flaw, which he said has affected Google's main site for as long as two years. But with the addition of Google Desktop, the flaw became more serious, he said, because "it places the results of a desktop search into the output of a regular Google search." He said that the flaw could have allowed third parties to make a record of all the searches people make.
The flaw primarily had affected people using Microsoft's Internet Explorer Web browser, Ley said.
