Slashdot Mirror
Google Public Service Search Makes for Easy Phishing
lisah writes "According to reports at NewsForge this morning, Developer Eric Farraro has discovered a potential hole in Google's Public Search Service that may leave the door wide open for phishing scams. The Public Search Service, designed to allow universities and other non-profit institutions to add Google search capabilities to their websites, provides code that allows website developers to customize the header and footer of the search results page. Handy (and malicious) coders can manipulate the headers and footers to create what looks like a Google sign-in page and then collect the login names and passwords of unsuspecting users." NewsForge and Slashdot are both owned by OSTG.
Its google's issue because they are HOSTING it. If they werent hosting the code, then fine. But they are and thats where the problem lies.
The problem is that usually people can type in the URL from a suspicious looking email and prevent phishing attacks. In this case, typing in the URL took to you precisely the same site. All the anti-phishing advice you've been giving your family and friends would prove useless under these circumstances.
IT'S A TRAP
This is very Google-specific screw-up. It is not like they forgot to change some default setting, it is a specifically designed feature that went wrong.
Google certainly does not do evil, but it is not exactly catching in the rye.
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
On a simliar note....
Build a man a fire and keep him warm for a night. Set a man on fire and you will keep him warm for the rest of his life.