Google has fixed a potentially devastating bug in its desktop search tool that could have exposed personal files on users’ computers to data thieves. The company says it has no evidence that the vulnerability was exploited.

The flaw was uncovered late last year by Watchfire, a security-analysis provider. Danny Allan, a researcher at the company, said that the vulnerability exists in about 80 per cent of web applications, but that the risks were more extreme “given the sensitive nature of what Google Desktop is doing.”

Google’s free desktop product, first released in 2004, lets users set Google’s indexing and searching capabilities loose on their own computers. The service offers a fast, easy way to find documents, e-mails, instant-messaging transcripts and archived webpages. A Google executive once described it as “the photographic memory of your computer.”

The Watchfire researchers discovered that the set-up was open to something known as a cross-site scripting attack, which lets an attacker place malicious code on a Google Desktop user’s computer. The PC could be infected a number of ways, including an infected e-mail attachment.

A hacker would then have had free reign to use Google Desktop to search the victim’s machine, and possibly to take full control of the computer, according to Watchfire. The company’s founder and chief technical officer, Mike Weider, said the attack would have gone undetected by firewalls or antivirus software.

Watchfire said it reported the security hole to Google on January 4 and was told on February 1 that the flaw had been fixed. Barry Schnitt, a spokesman for the company, said that desktop search software is updated automatically, so users do not need to take any steps to protect themselves.

While this opportunity for data theft has been shut down, Watchfire suggested that another could emerge because Google maintains a link between desktop and web data. “There’s a high potential for this to happen again,” Mr Weider said.

However, Mr Schnitt said that Google had introduced tighter security to counter such risks. “We’ve added an additional layer of security checks to prevent the types of attacks pointed out by Watchfire and future possible attacks through this vector as well,” he wrote.