Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Public Service Search Makes for Easy Phishing

Posted by ryuzaki0 on from the watch-where-you-search dept.

lisah writes "According to reports at NewsForge this morning, Developer Eric Farraro has discovered a potential hole in Google's Public Search Service that may leave the door wide open for phishing scams. The Public Search Service, designed to allow universities and other non-profit institutions to add Google search capabilities to their websites, provides code that allows website developers to customize the header and footer of the search results page. Handy (and malicious) coders can manipulate the headers and footers to create what looks like a Google sign-in page and then collect the login names and passwords of unsuspecting users." NewsForge and Slashdot are both owned by OSTG.

40 comments

  1. report them by gEvil+(beta) · · Score: 1, Funny

    Quick, someone report them to stopbadware.org!

    --
    This guy's the limit!
  2. Article notes... by DarkShadeChaos · · Score: 1

    to be cautious when signing in to any google services with '/u/servicename ' in the url. I can see how this could be potentially bad; even people checking to see if it was google.com in the address bar would not see anything to merit phishing.

    --
    The machine unmakes the man. Now that the machine is so perfect, the engineer is nobody. -Ralph Waldo Emerson
    1. Re:Article notes... by russ1337 · · Score: 3, Informative

      So how is their exploit any different from a sysadmin changing the DNS table on his server and presenting a page to the internal network that 'looks like google' and even has 'www.google.com/ig' (or a bank, ebay etc)? Isnt this why we have 'trusted websites/verisign etc... ?

  3. Give a man a fish... by Kenja · · Score: 3, Funny

    Give a man a fish and he can eat for one day, teach a man to phish and he can anoy millions of people for the rest of his (hopfully short) life.

    (Sigh) Its all rather depressing realy. After having the same domain and email address for ten years my spam to real mail ratio is about 500:1 and I can find my email address on decade old usenet posts via Google.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:Give a man a fish... by AugustZephyr · · Score: 4, Funny

      On a simliar note....
      Build a man a fire and keep him warm for a night. Set a man on fire and you will keep him warm for the rest of his life.

  4. Any major web service has this non-issue by mounthood · · Score: 2, Insightful

    If you make a Yahoo! Store that looks like Yahoo mail ... or an MSN page that looks like hotmail ...

    --
    tomorrow who's gonna fuss
  5. Not a google issue... by cosinezero · · Score: 1, Interesting

    That's not a hole in google's code. Any website coder can code up a phishing page that looks legit. Where is this Google's security issue?

    1. Re:Not a google issue... by dontbflat · · Score: 5, Insightful

      Its google's issue because they are HOSTING it. If they werent hosting the code, then fine. But they are and thats where the problem lies.

    2. Re:Not a google issue... by Anonymous Coward · · Score: 1, Informative

      It sure is. The header and footer are hosted at google. So the malicious javascript that clears the innerHTML of the page can then be set to look like a different google login prompt, or anything for that matter, and the form data captured and posted to anywhere. Basicaly, it's an issue because the javascript to do the harm exists at google, because the offender can put it there. Google needs to make it so javascript cannot be used in the footer and header that is customized. Quite simple to fix really.

      Bottom line, quote: "avoid providing your Google credentials to any Google services with the /u/servicename construction."

    3. Re:Not a google issue... by Infinityis · · Score: 4, Insightful

      The problem is that usually people can type in the URL from a suspicious looking email and prevent phishing attacks. In this case, typing in the URL took to you precisely the same site. All the anti-phishing advice you've been giving your family and friends would prove useless under these circumstances.

    4. Re:Not a google issue... by dancingyel · · Score: 1

      That, and the URL looks deceptively legit.

    5. Re:Not a google issue... by fmobus · · Score: 2, Interesting

      The security issue is not the design that looks legit. The issue is that the code is actually hosted at a Google Domain, thus being able to read Google.com cookies. This could mean some nasty attacks: if the injected javascript is allowed to read your gmail session cookies, for example, the attacker will be able to spoof your session, and steal your account. The other issue is that most users are "trained" to trust anything coming from a "www.google.com" domain.
      This is really bad. I hope google put this service down until they solve the problem (ie. not allowing javascript nor "evil" css). Maybe some templating language or XML/XLST hacks instead of full blown HTML.

  6. Try the address.... by dontbflat · · Score: 3, Insightful

    And you find that the google www.google.com/u/gplus doesnt work now. I'll say one thing. They sure are quick. Now they should just put those search results in an IFRAME that you cant change like the adsense code.

    People always are looking for new ways to get user/pass from unsuspecting users. The internet is used to hurt the ignorant. I just hope I wont fall into such a good looking trap.

    1. Re:Try the address.... by Kenja · · Score: 1

      "And you find that the google www.google.com/u/gplus doesnt work now."

      Wonder if Google has a cache of the page for us to look at.

      --

      "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  7. Original post by Infinityis · · Score: 3, Informative

    Original post
    Site in question

    It looks like the page has been replaced with a message warning about viruses and spyware. I looked at the page earlier (from Reddit.com) and the login page looked very legit--scary indeed.
    If you put in a username and password, he didn't store it but he echoed it back to your browser. Even though he didn't store it, my concern was that the password was still being transmitted via plaintext...

    1. Re:Original post by FooAtWFU · · Score: 1
      We're sorry ... but your query looks similar to automated requests from a computer virus or spyware application. To protect our users, we can't process your request right now.

      So. Which of these exactly is Slashdot: a computer virus, or a spyware application?

      I favor the "virus" analogy.

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
  8. Ackbar'ed by Infinityis · · Score: 4, Funny

    IT'S A TRAP

  9. National Google Alert by dilvish_the_damned · · Score: 1

    I rank Joe at +8 [Alarmist] with a +6 [Cant be trusted with his password] modifier for a final score of 14 [Dork].
    I rank Zonk at +4 [asleep at the wheel].

    If you look closely, you will notice I wasnt being negative.

    --
    I think you underestimate just how much I just dont care.
    1. Re:National Google Alert by dilvish_the_damned · · Score: 1

      Oops, I was wrong, this looks like it might be an issue. For some people anyhow. Premature flame.
      Won't happen again. Today.

      --
      I think you underestimate just how much I just dont care.
  10. Screw up of Google by mapkinase · · Score: 4, Insightful

    This is very Google-specific screw-up. It is not like they forgot to change some default setting, it is a specifically designed feature that went wrong.

    Google certainly does not do evil, but it is not exactly catching in the rye.

    --
    I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
    1. Re:Screw up of Google by maxume · · Score: 1

      Go to your room! NOW!

      --
      Nerd rage is the funniest rage.
  11. If only... by Threni · · Score: 1

    ...there was an easy way of getting to Google to log in, such as by typing `google` and hitting control-return.

  12. I love you, Gooooogle by Frankie70 · · Score: 2, Funny


    And you find that the google www.google.com/u/gplus doesnt work now. I'll say one thing. They sure are quick.


    How the hell did they manage that gazillion man hours work of disabling a webpage & then testing the fix
    of disabling the webpage so quickly.

    I bet everyone right from the top to botton at Google must have been working non-stop on
    disabling this webpage.

    Anyway, Kudos & three cheers to Google on disabling this so quickly.
    They surely are amazing. Who knows, maybe they even hired a few thousand extra temporary workers
    also to work on disabling this webpage. What a great company.

    I love you, Gooooogle

    1. Re:I love you, Gooooogle by lostboy2 · · Score: 1

      Well, I'd mod you +0.5 Funny and -0.5 Flamebait, so it evens out.

      I think the implied point of the parent post is that there are companies which would not (and apparently do not) respond so quickly. At least, this is the perception, judging by comments in other /. stories).

      So, it's really a comment about the apparent level of Google's bureacracy (i.e., not as bad as some), not their technical expertise. Of course, that's really just a comment about how bad other companies are perceived to be with regards to responding to things like that.

      Just for the record, I'm not a Google-evangelist.

  13. We're spoiled by sunny256 · · Score: 1

    And you find that the google www.google.com/u/gplus doesnt work now. I'll say one thing. They sure are quick.

    How the hell did they manage that gazillion man hours work of disabling a webpage & then testing the fix of disabling the webpage so quickly.

    I bet everyone right from the top to botton at Google must have been working non-stop on disabling this webpage.

    I'm sorry for bringing this eternal FOSS-theme into the picture, but as Google is pretty involved in the FOSS community, they know that users of free software don't believe in security by obscurity (which this isn't anymore anyway) and they are used to quick fixes to security holes. No wait for next month's upgrade, things are fixed by someone right now. And cracked user accounts are bad publicity in any case.

  14. Porn from the Smithsonian Institute by robotsrule · · Score: 1

    Whew! That explains it! I was really tired of getting all that porn from The Smithsonian Institute showing Neanderthal couples doing the nasty with a Woolly Mammoth. I never opened any of it of course!

    --


    Robert Oschler - RobotsRule.com
  15. to rephrase this by AlgorithMan · · Score: 2, Funny
    coders can [...] create what looks like a Google sign-in page and then collect the login names and passwords of unsuspecting users.
    to rephrase this:
    Eric Farraro has discovered that phishing might exist...
    --
    The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
    1. Re:to rephrase this by asylumx · · Score: 1

      Nice quip, but actually what he's discovered is a way to create such a phishing page and get google to even host it on their domain... which makes it almost completely impossible to detect as phishing until it's too late.

  16. Back to the Future by Anonymous Coward · · Score: 0

    Ah hell, let's just go back to pen & paper and leave the internet to (free) porn and "anonymous" socializing.

  17. Bad habits by thesandtiger · · Score: 1, Insightful

    Generally, unless I have specifically typed in a URL I know is safe, I will at the very least check the address bar of my browser before signing in to something. That means that any time there's a link to something - even from a source that I trust - I will check to make sure I am where I think I am. Of course, I'm slightly paranoid, and I would expect that the average user doesn't do this kind of thing. It's kind of like the "secure" commerce sites - how many people actually check for the little lock/key thingy? Probably most on /., but in the real world it seems like a shiny website with stuff mainly spelled correctly is good enough for most.

    And speaking of laziness.... Why is it that the only "editorial" behavior /. editors do is the "full-disclosure" thing with stories that are somehow associated with /. or their masters?

    It's like "Oh, we won't bother ensuring that something's not a dupe, and we won't bother to spell, grammar or fact check submissions - but hey, we can sure look all editorly if we just do that disclosure thingy! LOOKIT ME!!! I CAINT SPEL EDITIR, BUT I ARE WON!!!!"

    Sorry. (And good-bye, karma!)

    --
    Since I can't tell them apart, I treat all ACs as the same person.
  18. Of course by NineNine · · Score: 1

    Of course you're right. What it boils down to is the Net is filled to the brim with scams, cons, (bad) hackers, etc., and there's absolutely nothing to stop them. Net crime is absolutely rampant, and there's virtually no law enforcement agency that can do anything about it.
    Personally, I think it's going to get so bad that all online commerce is going to grind to a halt either because of scared customers, or because companies' litigation costs.

    1. Re:Of course by John+Hasler · · Score: 1

      > Net crime is absolutely rampant, and there's virtually no law enforcement
      > agency that can do anything about it.

      _Will_ do anything about it.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  19. the shiny lock is no guarantee by ClioCJS · · Score: 1

    There are now exploits which work beneath the SSL layer. The lock is no guarantee. :) Read about it in Infoworld...

    --
    -Clio
    Karma: Bad (mostly from not giving a fuck)
    Blog: http://clintjcl.wordpress.com
  20. What about using js to grab cookies? by mbannonb · · Score: 2, Insightful

    Instead of using javascript to create a modified form, why not use javascript to grab the user's google cookies and send them to yourself while on the google.com domain?

    1. Re:What about using js to grab cookies? by caseydk · · Score: 1

      I said this exactly to my security buddy who pointed this site out to me. Who knows what will be in the cookie?

  21. The Death of Google Adsense by cyzumhood · · Score: 1

    Its true after Google has changed the way Adsense works and its now dead forever! you can still make petty change but check out the ebook to figure out the new way of advertising to start recieving those large checks you used to get from Google Adsense Find out about the death of adsense and how to turn your sites income into huge positive numbers by downloading this FREE ebook! The Death Of Google Adsense