Researchers from a leading web application firm said today they have uncovered a serious vulnerability in Google Desktop that could allow hackers to perform searches on a victim's computer and discover sensitive files.

The attack uses cross site scripting to deliver JavaScript from a vulnerable Google webpage to Google Desktop, Danny Allan, director of security research at Watchfire, told today

Users, likely through social engineering, initially visit a Google webpage vulnerable to cross-site scripting, Allan explained. There, embedded JavaScript tells the victim’s browser to send a behind-the-scenes request to Google, which sends a request to the victim’s Google Desktop. Attached to the request is a malicious payload that permits an attacker to assume control of the application.

"Because of the integration between and Google Desktop, that is the way the malicious individual navigates onto [a victim’s] computer," Allan said. "To the victim, it’s a click."

Once the victim’s machine is compromised, an attacker can remotely perform searches and disable default settings, allowing him access to password-protected documents and archived secure websites, he said. Also, the malicious individual can force the victim to execute certain programs.

"The outcome of this is very serious," Allan said. "The ongoing danger is that more and more applications have very powerful features like this and increasingly allow integration between the local computer and the internet."

Google said it was not aware of any users being affected by the vulnerability, according to Allan. A Google spokesman could not immediately be reached for comment today.

Allan said the bug emphasises the need for developers to build more secure applications and for anti-virus vendors to create solutions that defend against such attacks.