Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Public Service Search Makes for Easy Phishing

Posted by ryuzaki0 on from the watch-where-you-search dept.

lisah writes "According to reports at NewsForge this morning, Developer Eric Farraro has discovered a potential hole in Google's Public Search Service that may leave the door wide open for phishing scams. The Public Search Service, designed to allow universities and other non-profit institutions to add Google search capabilities to their websites, provides code that allows website developers to customize the header and footer of the search results page. Handy (and malicious) coders can manipulate the headers and footers to create what looks like a Google sign-in page and then collect the login names and passwords of unsuspecting users." NewsForge and Slashdot are both owned by OSTG.

14 of 40 comments (clear)

  1. Give a man a fish... by Kenja · · Score: 3, Funny

    Give a man a fish and he can eat for one day, teach a man to phish and he can anoy millions of people for the rest of his (hopfully short) life.

    (Sigh) Its all rather depressing realy. After having the same domain and email address for ten years my spam to real mail ratio is about 500:1 and I can find my email address on decade old usenet posts via Google.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:Give a man a fish... by AugustZephyr · · Score: 4, Funny

      On a simliar note....
      Build a man a fire and keep him warm for a night. Set a man on fire and you will keep him warm for the rest of his life.

  2. Any major web service has this non-issue by mounthood · · Score: 2, Insightful

    If you make a Yahoo! Store that looks like Yahoo mail ... or an MSN page that looks like hotmail ...

    --
    tomorrow who's gonna fuss
  3. Try the address.... by dontbflat · · Score: 3, Insightful

    And you find that the google www.google.com/u/gplus doesnt work now. I'll say one thing. They sure are quick. Now they should just put those search results in an IFRAME that you cant change like the adsense code.

    People always are looking for new ways to get user/pass from unsuspecting users. The internet is used to hurt the ignorant. I just hope I wont fall into such a good looking trap.

  4. Re:Not a google issue... by dontbflat · · Score: 5, Insightful

    Its google's issue because they are HOSTING it. If they werent hosting the code, then fine. But they are and thats where the problem lies.

  5. Original post by Infinityis · · Score: 3, Informative

    Original post
    Site in question

    It looks like the page has been replaced with a message warning about viruses and spyware. I looked at the page earlier (from Reddit.com) and the login page looked very legit--scary indeed.
    If you put in a username and password, he didn't store it but he echoed it back to your browser. Even though he didn't store it, my concern was that the password was still being transmitted via plaintext...

  6. Re:Not a google issue... by Infinityis · · Score: 4, Insightful

    The problem is that usually people can type in the URL from a suspicious looking email and prevent phishing attacks. In this case, typing in the URL took to you precisely the same site. All the anti-phishing advice you've been giving your family and friends would prove useless under these circumstances.

  7. Ackbar'ed by Infinityis · · Score: 4, Funny

    IT'S A TRAP

  8. Screw up of Google by mapkinase · · Score: 4, Insightful

    This is very Google-specific screw-up. It is not like they forgot to change some default setting, it is a specifically designed feature that went wrong.

    Google certainly does not do evil, but it is not exactly catching in the rye.

    --
    I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
  9. Re:Article notes... by russ1337 · · Score: 3, Informative

    So how is their exploit any different from a sysadmin changing the DNS table on his server and presenting a page to the internal network that 'looks like google' and even has 'www.google.com/ig' (or a bank, ebay etc)? Isnt this why we have 'trusted websites/verisign etc... ?

  10. I love you, Gooooogle by Frankie70 · · Score: 2, Funny


    And you find that the google www.google.com/u/gplus doesnt work now. I'll say one thing. They sure are quick.


    How the hell did they manage that gazillion man hours work of disabling a webpage & then testing the fix
    of disabling the webpage so quickly.

    I bet everyone right from the top to botton at Google must have been working non-stop on
    disabling this webpage.

    Anyway, Kudos & three cheers to Google on disabling this so quickly.
    They surely are amazing. Who knows, maybe they even hired a few thousand extra temporary workers
    also to work on disabling this webpage. What a great company.

    I love you, Gooooogle

  11. to rephrase this by AlgorithMan · · Score: 2, Funny
    coders can [...] create what looks like a Google sign-in page and then collect the login names and passwords of unsuspecting users.
    to rephrase this:
    Eric Farraro has discovered that phishing might exist...
    --
    The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
  12. What about using js to grab cookies? by mbannonb · · Score: 2, Insightful

    Instead of using javascript to create a modified form, why not use javascript to grab the user's google cookies and send them to yourself while on the google.com domain?

  13. Re:Not a google issue... by fmobus · · Score: 2, Interesting

    The security issue is not the design that looks legit. The issue is that the code is actually hosted at a Google Domain, thus being able to read Google.com cookies. This could mean some nasty attacks: if the injected javascript is allowed to read your gmail session cookies, for example, the attacker will be able to spoof your session, and steal your account. The other issue is that most users are "trained" to trust anything coming from a "www.google.com" domain.
    This is really bad. I hope google put this service down until they solve the problem (ie. not allowing javascript nor "evil" css). Maybe some templating language or XML/XLST hacks instead of full blown HTML.