Forgot your password?
typodupeerror

Google Public Service Search Makes for Easy Phishing 40

Posted by Zonk
from the watch-where-you-search dept.
lisah writes "According to reports at NewsForge this morning, Developer Eric Farraro has discovered a potential hole in Google's Public Search Service that may leave the door wide open for phishing scams. The Public Search Service, designed to allow universities and other non-profit institutions to add Google search capabilities to their websites, provides code that allows website developers to customize the header and footer of the search results page. Handy (and malicious) coders can manipulate the headers and footers to create what looks like a Google sign-in page and then collect the login names and passwords of unsuspecting users." NewsForge and Slashdot are both owned by OSTG.
This discussion has been archived. No new comments can be posted.

Google Public Service Search Makes for Easy Phishing

Comments Filter:
  • Quick, someone report them to stopbadware.org!
    • to be cautious when signing in to any google services with '/u/servicename ' in the url. I can see how this could be potentially bad; even people checking to see if it was google.com in the address bar would not see anything to merit phishing.
      • Re:Article notes... (Score:4, Informative)

        by russ1337 (938915) on Friday September 15, 2006 @01:22PM (#16114868)
        So how is their exploit any different from a sysadmin changing the DNS table on his server and presenting a page to the internal network that 'looks like google' and even has 'www.google.com/ig' (or a bank, ebay etc)? Isnt this why we have 'trusted websites/verisign etc... ?
  • by Kenja (541830) on Friday September 15, 2006 @12:25PM (#16114384)
    Give a man a fish and he can eat for one day, teach a man to phish and he can anoy millions of people for the rest of his (hopfully short) life.

    (Sigh) Its all rather depressing realy. After having the same domain and email address for ten years my spam to real mail ratio is about 500:1 and I can find my email address on decade old usenet posts via Google.
  • If you make a Yahoo! Store that looks like Yahoo mail ... or an MSN page that looks like hotmail ...
    • Of course you're right. What it boils down to is the Net is filled to the brim with scams, cons, (bad) hackers, etc., and there's absolutely nothing to stop them. Net crime is absolutely rampant, and there's virtually no law enforcement agency that can do anything about it.
      Personally, I think it's going to get so bad that all online commerce is going to grind to a halt either because of scared customers, or because companies' litigation costs.
      • > Net crime is absolutely rampant, and there's virtually no law enforcement
        > agency that can do anything about it.

        _Will_ do anything about it.
  • by cosinezero (833532)
    That's not a hole in google's code. Any website coder can code up a phishing page that looks legit. Where is this Google's security issue?
    • by dontbflat (994444) on Friday September 15, 2006 @12:33PM (#16114447) Homepage
      Its google's issue because they are HOSTING it. If they werent hosting the code, then fine. But they are and thats where the problem lies.
    • Re: (Score:1, Informative)

      by Anonymous Coward
      It sure is. The header and footer are hosted at google. So the malicious javascript that clears the innerHTML of the page can then be set to look like a different google login prompt, or anything for that matter, and the form data captured and posted to anywhere. Basicaly, it's an issue because the javascript to do the harm exists at google, because the offender can put it there. Google needs to make it so javascript cannot be used in the footer and header that is customized. Quite simple to fix really.
    • by Infinityis (807294) on Friday September 15, 2006 @12:42PM (#16114535) Homepage
      The problem is that usually people can type in the URL from a suspicious looking email and prevent phishing attacks. In this case, typing in the URL took to you precisely the same site. All the anti-phishing advice you've been giving your family and friends would prove useless under these circumstances.
    • Re: (Score:2, Interesting)

      by fmobus (831767)
      The security issue is not the design that looks legit. The issue is that the code is actually hosted at a Google Domain, thus being able to read Google.com cookies. This could mean some nasty attacks: if the injected javascript is allowed to read your gmail session cookies, for example, the attacker will be able to spoof your session, and steal your account. The other issue is that most users are "trained" to trust anything coming from a "www.google.com" domain.
      This is really bad. I hope google put this s
  • by dontbflat (994444) on Friday September 15, 2006 @12:30PM (#16114424) Homepage
    And you find that the google www.google.com/u/gplus doesnt work now. I'll say one thing. They sure are quick. Now they should just put those search results in an IFRAME that you cant change like the adsense code.

    People always are looking for new ways to get user/pass from unsuspecting users. The internet is used to hurt the ignorant. I just hope I wont fall into such a good looking trap.
    • by Kenja (541830)
      "And you find that the google www.google.com/u/gplus doesnt work now."

      Wonder if Google has a cache of the page for us to look at.

    • And you find that the google www.google.com/u/gplus doesnt work now. I'll say one thing. They sure are quick.


      How the hell did they manage that gazillion man hours work of disabling a webpage & then testing the fix
      of disabling the webpage so quickly.

      I bet everyone right from the top to botton at Google must have been working non-stop on
      disabling this webpage.

      Anyway, Kudos & three cheers to Google on disabling this so quickly.
      They surely are amazing. Who knows, maybe they even hired a few thousand ext
      • And you find that the google www.google.com/u/gplus doesnt work now. I'll say one thing. They sure are quick.

        How the hell did they manage that gazillion man hours work of disabling a webpage & then testing the fix of disabling the webpage so quickly.

        I bet everyone right from the top to botton at Google must have been working non-stop on disabling this webpage.

        I'm sorry for bringing this eternal FOSS-theme into the picture, but as Google is pretty involved in the FOSS community, they know that

      • by lostboy2 (194153)
        Well, I'd mod you +0.5 Funny and -0.5 Flamebait, so it evens out.

        I think the implied point of the parent post is that there are companies which would not (and apparently do not) respond so quickly. At least, this is the perception, judging by comments [slashdot.org] in other /. stories).

        So, it's really a comment about the apparent level of Google's bureacracy (i.e., not as bad as some), not their technical expertise. Of course, that's really just a comment about how bad other companies are perceived to be with regards to
  • Original post (Score:4, Informative)

    by Infinityis (807294) on Friday September 15, 2006 @12:38PM (#16114494) Homepage
    Original post [ericfarraro.com]
    Site in question [google.com]

    It looks like the page has been replaced with a message warning about viruses and spyware. I looked at the page earlier (from Reddit.com) and the login page looked very legit--scary indeed.
    If you put in a username and password, he didn't store it but he echoed it back to your browser. Even though he didn't store it, my concern was that the password was still being transmitted via plaintext...
    • by FooAtWFU (699187)
      We're sorry ... but your query looks similar to automated requests from a computer virus or spyware application. To protect our users, we can't process your request right now.

      So. Which of these exactly is Slashdot: a computer virus, or a spyware application?

      I favor the "virus" analogy.

  • Ackbar'ed (Score:5, Funny)

    by Infinityis (807294) on Friday September 15, 2006 @12:45PM (#16114557) Homepage
    IT'S A TRAP
  • I rank Joe at +8 [Alarmist] with a +6 [Cant be trusted with his password] modifier for a final score of 14 [Dork].
    I rank Zonk at +4 [asleep at the wheel].

    If you look closely, you will notice I wasnt being negative.
  • Screw up of Google (Score:5, Insightful)

    by mapkinase (958129) on Friday September 15, 2006 @01:18PM (#16114831) Homepage Journal
    This is very Google-specific screw-up. It is not like they forgot to change some default setting, it is a specifically designed feature that went wrong.

    Google certainly does not do evil, but it is not exactly catching in the rye.
  • ...there was an easy way of getting to Google to log in, such as by typing `google` and hitting control-return.
  • Whew! That explains it! I was really tired of getting all that porn from The Smithsonian Institute showing Neanderthal couples doing the nasty with a Woolly Mammoth. I never opened any of it of course!
  • coders can [...] create what looks like a Google sign-in page and then collect the login names and passwords of unsuspecting users.
    to rephrase this:
    Eric Farraro has discovered that phishing might exist...
    • by asylumx (881307)
      Nice quip, but actually what he's discovered is a way to create such a phishing page and get google to even host it on their domain... which makes it almost completely impossible to detect as phishing until it's too late.
  • Bad habits (Score:2, Insightful)

    by thesandtiger (819476)
    Generally, unless I have specifically typed in a URL I know is safe, I will at the very least check the address bar of my browser before signing in to something. That means that any time there's a link to something - even from a source that I trust - I will check to make sure I am where I think I am. Of course, I'm slightly paranoid, and I would expect that the average user doesn't do this kind of thing. It's kind of like the "secure" commerce sites - how many people actually check for the little lock/key t
  • Instead of using javascript to create a modified form, why not use javascript to grab the user's google cookies and send them to yourself while on the google.com domain?
    • by caseydk (203763)
      I said this exactly to my security buddy who pointed this site out to me. Who knows what will be in the cookie?
  • Its true after Google has changed the way Adsense works and its now dead forever! you can still make petty change but check out the ebook to figure out the new way of advertising to start recieving those large checks you used to get from Google Adsense Find out about the death of adsense and how to turn your sites income into huge positive numbers by downloading this [thedeathofadsense.com] FREE ebook! The Death Of Google Adsense [thedeathofadsense.com]

To thine own self be true. (If not that, at least make some money.)

Working...