Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×

Google Public Service Search Makes for Easy Phishing 40

Posted by Zonk from the watch-where-you-search dept.
lisah writes "According to reports at NewsForge this morning, Developer Eric Farraro has discovered a potential hole in Google's Public Search Service that may leave the door wide open for phishing scams. The Public Search Service, designed to allow universities and other non-profit institutions to add Google search capabilities to their websites, provides code that allows website developers to customize the header and footer of the search results page. Handy (and malicious) coders can manipulate the headers and footers to create what looks like a Google sign-in page and then collect the login names and passwords of unsuspecting users." NewsForge and Slashdot are both owned by OSTG.
This discussion has been archived. No new comments can be posted.

Google Public Service Search Makes for Easy Phishing More

Google Public Service Search Makes for Easy Phishing

Comments Filter:

  • Re:Not a google issue... (Score:1, Informative)

    by Anonymous Coward on Friday September 15, 2006 @12:35PM (#16114466)
    It sure is. The header and footer are hosted at google. So the malicious javascript that clears the innerHTML of the page can then be set to look like a different google login prompt, or anything for that matter, and the form data captured and posted to anywhere. Basicaly, it's an issue because the javascript to do the harm exists at google, because the offender can put it there. Google needs to make it so javascript cannot be used in the footer and header that is customized. Quite simple to fix really.

    Bottom line, quote: "avoid providing your Google credentials to any Google services with the /u/servicename construction."

  • Original post (Score:4, Informative)

    by Infinityis ( 807294 ) on Friday September 15, 2006 @12:38PM (#16114494) Homepage
    Original post [ericfarraro.com]
    Site in question [google.com]

    It looks like the page has been replaced with a message warning about viruses and spyware. I looked at the page earlier (from Reddit.com) and the login page looked very legit--scary indeed.
    If you put in a username and password, he didn't store it but he echoed it back to your browser. Even though he didn't store it, my concern was that the password was still being transmitted via plaintext...

  • Re:Article notes... (Score:4, Informative)

    by russ1337 ( 938915 ) on Friday September 15, 2006 @01:22PM (#16114868)
    So how is their exploit any different from a sysadmin changing the DNS table on his server and presenting a page to the internal network that 'looks like google' and even has 'www.google.com/ig' (or a bank, ebay etc)? Isnt this why we have 'trusted websites/verisign etc... ?

Slashdot Top Deals

Work without a vision is slavery, Vision without work is a pipe dream, But vision with work is the hope of the world.

Close