It took a “few weeks” but better late than never. After a few weeks Google finally fixed the XSS hole that Watchfire found in Google Desktop. The flaw would enable attackers to read personal files from users who used Google Desktop. Apparently Google has now instituted additional layers of security to protect against their coding flaws. To quote the article:
“We’ve added an additional layer of security checks to prevent the types of attacks pointed out by Watchfire and future possible attacks through this vector as well,” [Schnitt] wrote.
Why am I not impressed by those words? Suffice it to say, neither is Watchfire:
“There’s a high potential for this to happen again,” Weider said.
Yup, but let’s finish Mike Weider’s sentence since it’s incomplete: There is a high potential of Google creating desktop products that endanger their users’ privacy again. Whenever you try to web-enable services, which Google is hyper interested in doing so they can track everything you do and integrate things more seamlessly, you are creating a huge hole.
Just because you add an additional layer of security does not make the concept secure. Of course no one will abandon this path only making the hole bigger and more complex with time. However, it is my opinion that it is only a matter of time until these types of exploits are being written into viruses. A “few weeks” is actually almost a month by my calendar (Jan 4th to Feb 1st) and that is just way too long to respond to a critical threat like this.