eldavojohn writes "There's a brief article on Ars Technica about how Finjan Inc. (a security provider) found a security problem with Google's anti-phishing plug-in for Mozilla Firefox and covertly contacted Google about it. From the article,
So you might be asking why this isn't bigger news. Well, Google has since fixed this problem and turned this issue into a non-issue. One must wonder whether this form of bug discovery is more sensible or 'correct' than the constant Microsoft bugs published online. Perhaps if Google continues to handle low key notices seriously, they'll never find themselves in the same position as Microsoft?"How did an anti-phishing plugin wind up exposing user names and passwords to the general public? Google's software used a public blacklist, available from Google's servers, which listed sites that were fraudulently pretending to be banking or other financial institutions. Unfortunately, some of these sites embedded usernames and passwords directly into the URL — obviously phishing sites didn't have concerns about security — and were thus viewable by anyone.