SecurityFocus.com (http://securityfocus.com), the highly rated Internet security watchdog, announced on November 4 that the hackers exploiting a flaw in Google's desktop search tool (http://desktop.google.com) launched a week back could have illegally obtained critical data of users like credit card information. The flaw, which Google finally plugged on November 3, might have made vulnerable the highly trusted search engine's Google Desktop to phishing, the internet fraud of using spoofed-up emails and web pages to persuade users to part with critical information.
The website www.antiphishing.org, which keeps a watch over phishing scams, says that fraudsters succeed in convincing about five percent of their targets in parting with critical data. Considering the billions of page views that Google receives daily worldwide, the exposure could have been enormous, experts believe.
Users accessing the search website using Microsoft's Internet Explorer, which runs on about 75 percent of all personal computers worldwide, were particularly vulnerable, according to Jim Ley, the Internet security expert who exposed the hole in the search engine's security. Ley warned that Google's search tool failed to prevent hackers from inserting a JavaScript programming code into a web address allowing a third party to change the Google's web page to ask for personal data such as credit card numbers from its visitors.
Ley said that Google's script-insertion flaw, which affected Google's main site for as long as two years, became aggravated after the launch of its desktop search tool because it placed the results of a desktop search into the output of a regular Google search, and that the flaw could have allowed third parties to make a record of all the searches people made. Ley's website www.jibbering.com claims Google technicians contacted him to point out that they plugged the hole on November 3.
