Another vulnerability in the Google Desktop search application has been discovered, similar but seperate to the ones discovered by Jim Ley and Netcraft. The discovery was made by Salvatore Aranzulla, an Italian journalist. The flaw allows attackers to target users of the Google Desktop application and modify the contents of search pages by injecting scripts located on external servers. Such cross site scripting attacks provide attackers with a means of obtaining information under the guise of a reputable domain.
Aranzulla has published details about the new vulnerability on his web site, where he includes some example exploits (Italian). He claims that inexperienced users may be susceptible to phishing attacks like these, while more experienced users may become suspicious due to the long URLs that are typically involved in exploiting cross site scripting vulnerabilities.
It is not clear whether Aranzulla notified Google before making his discovery public. As we previously reported, Jim Ley experienced difficulties when he tried to notify Google about a similar exploit he discovered more than two years ago. Conversely, a different vulnerability discovered by Netcraft last week, was closed within two days of being reported to Google.
http://mirabilweb.altervista.org/pag...ina=google_bug