Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Public Service Search Makes for Easy Phishing

Posted by ryuzaki0 on from the watch-where-you-search dept.

lisah writes "According to reports at NewsForge this morning, Developer Eric Farraro has discovered a potential hole in Google's Public Search Service that may leave the door wide open for phishing scams. The Public Search Service, designed to allow universities and other non-profit institutions to add Google search capabilities to their websites, provides code that allows website developers to customize the header and footer of the search results page. Handy (and malicious) coders can manipulate the headers and footers to create what looks like a Google sign-in page and then collect the login names and passwords of unsuspecting users." NewsForge and Slashdot are both owned by OSTG.

2 of 40 comments (clear)

  1. Not a google issue... by cosinezero · · Score: 1, Interesting

    That's not a hole in google's code. Any website coder can code up a phishing page that looks legit. Where is this Google's security issue?

    1. Re:Not a google issue... by fmobus · · Score: 2, Interesting

      The security issue is not the design that looks legit. The issue is that the code is actually hosted at a Google Domain, thus being able to read Google.com cookies. This could mean some nasty attacks: if the injected javascript is allowed to read your gmail session cookies, for example, the attacker will be able to spoof your session, and steal your account. The other issue is that most users are "trained" to trust anything coming from a "www.google.com" domain.
      This is really bad. I hope google put this service down until they solve the problem (ie. not allowing javascript nor "evil" css). Maybe some templating language or XML/XLST hacks instead of full blown HTML.