Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Antiphishing Site Exposed Private User Data

Posted by kdawson on from the self-phishing dept.

Juha-Matti Laurio writes "Google has removed a few user names and passwords posted inadvertently to a phishing blacklist it compiles and makes publicly available on the Web. This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar. This feature, developed in cooperation with Google, enables users to report potential phishing sites to Google's blacklist database. Google has reportedly implemented a new mechanism detecting login data in submitted URLs to prevent sensitive information from getting posted to the list." The article notes that news of this minor lapse may obscure the ongoing problem of sensitive data exposed on the Web and findable via Google and other search services.

69 comments

  1. Why is this just breaking now? by winkydink · · Score: 3, Insightful

    It was discussed on the full-disclosure mailing list 2 weeks ago. If Google is continuing to do this, it's hard for me to see it as anything but irresponsible.

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    1. Re:Why is this just breaking now? by jmazzi · · Score: 4, Insightful

      Well, obviously not everyone is on the mailing list your talking about (including the slashdot editor). This is news to me. Putting it on a site like slashdot will help educate people who weren't already aware.

    2. Re:Why is this just breaking now? by Anonymous Coward · · Score: 0, Flamebait

      Putting it on a site like slashdot will help educate people who weren't already aware.

      It's a lost cause. Those who have some sense already know that GOOG is one of the greatest fuck-ups, technologically worse than AOL and MSN combined.

      The fanbois, however, can't be turned back into rational human beings; they'll continue to drool over every shiny new GOOG-Turd-beta while wanking off to a picture of Steve Jobs.

    3. Re:Why is this just breaking now? by jamietre · · Score: 3, Insightful

      There are websites that manage sensitive information that pass usernames & passwords in the actual URL, and you think Google's irresponsible?

    4. Re:Why is this just breaking now? by charlieman · · Score: 1

      Well you should have send it to /. 2 weeks ago then.

    5. Re:Why is this just breaking now? by sholden · · Score: 1

      Why not read the second paragraph of the article?

      Yes, I must be new here...

    6. Re:Why is this just breaking now? by kalleguld · · Score: 2, Insightful

      Phishing websites. Why should they be careful about the security of the user?

      --
      Sigs are bad for your health
    7. Re:Why is this just breaking now? by jamietre · · Score: 1

      Doh! Of course. Rolling my eyes, at myself...

    8. Re:Why is this just breaking now? by Deanalator · · Score: 1

      The first time I looked at the link that was posted on full disclosure, all the passwords etc were there, but when I checked again the next day they had been removed. I think Google actually did a pretty quick cleanup job cleaning up their mess. The delay is due to the media echo chamber.

      Remember that the full disclosure event was reported to Finjan, who did an analysis. Someone over at information week then wrote an article about this analysis, which was posted yesterday. The slashdot posting is about the information week article.

    9. Re:Why is this just breaking now? by heytal · · Score: 1

      These weren't the real sites, I believe. They were phishing sites, which passed logins and passwords in the URL. The URL's submitted by the users were supposed to be blacklisted, and hence the list was published.

      If the user, before submitting the URL did not check for personal information in the URL, it's that user's problem, and not Google's.

      I think it was pretty smart on behalf of Google to come up with an algorithm to look at the submitted URL, and remove the personal data.

    10. Re:Why is this just breaking now? by jamietre · · Score: 1

      Yes, I got schooled already. Since then I've changed my mind completely: google is not just irresponsible, but pretty stupid for allowing this to happen at all. Why include ANY part of the query string at all? A reference to a phishing web site ought to end with the "?" in the URL. I would think the "algorithm" would just be "ditch anything after the actual location." Even if it didn't occur to them that there might be personal data in the query-string part of the URL, there's no reason to keep any of it in the first place. This just makes the reference to the site more unique and therefore less likely to be matched when someone uses the database.

    11. Re:Why is this just breaking now? by perenaurel · · Score: 1

      i posted a /. comment with a link to this mailing list post a few weeks ago...

  2. Never fear! by greginnj · · Score: 4, Funny
    Google has removed a few user names and passwords posted inadvertently to a phishing blacklist it compiles and makes publicly available on the Web.
    Never fear, they're still available on Google Cache :)

    --
    Read the best of all of Slash: seenonslash.com
  3. Nice by madsheep · · Score: 2, Interesting

    Sounds like we have some sites that are passing persistent username and password information in the URL (not just querystrings etc). That's pretty lame. I think Barracuda SPAM Firewall does this as well. Perhaps one of these days we'll just see applications with a higher level of security and won't have to worry about this so much.

    1. Re:Nice by Nos. · · Score: 1

      Passing strings via POST as opposed to GET is not "secure". Both can be easily sniffed. The only way to do it is to use SSL, in which case, even the GET strings are encrypted.

    2. Re:Nice by madsheep · · Score: 1

      SSL has nothing to do with it though if it's a GET or persisting URL. It can be encrypted all it wants to be to and from the server, but doesn't mean it cannot be picked up as a phishing site..unless the anti-phishing URL checker breaks because it's preceded by https.

    3. Re:Nice by lukas84 · · Score: 2, Insightful

      You are right, but that's not the point.

      URLs are commonly copy and pasted, submitted to other sites, can be read in the browser history, in proxy logs, etc.

      Of course, you can configure a proxy to log POST data, but this is beside the point. This is about preventing unintended duplication of sensitive data, not actual attacks.

    4. Re:Nice by Anonymous Coward · · Score: 2, Insightful

      Sounds like we have some sites that are passing persistent username and password information in the URL (not just querystrings etc). That's pretty lame.

      That's quite an understatement. Doing that not only causes problems like this, it also discloses your username and password to a) anybody with access to a proxy log (it's easier to get hold of that than root the proxy to sniff the traffic) and b) any website you navigate to directly from the braindead website (since the URI, including the username and password, will be sent to the new website in the Referer HTTP header).

    5. Re:Nice by Cally · · Score: 1

      or encrypt the data on the server side before sending it back to the client (via a cookie by preference. You can't bookmark a cookie ;)

      --
      "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
    6. Re:Nice by Nos. · · Score: 1

      But how does the data get to the server in the first place. If its not encrypted from step one, its not secure.

  4. This is why I don't use a phishing filter by SNR+monkey · · Score: 4, Funny

    Now please excuse me, g00gle.com tells me I need to enter my gmail login, password, and a valid credit card number to unlock my gmail account.

  5. Google by Newfie2005 · · Score: 5, Funny

    "Google also encourages users to use its search engine as a free credit card and Social Security number monitoring service for Web-based content. "We also suggest that individuals create Google Alerts for their credit card and Social Security numbers," the company recommends. "You can be notified once a day or once a week if a new result appears on Google for this query."

    As if google doesn't know enough about us, whats next, check google to see if someone is eating the same meal as you for breakfast?

    1. Re:Google by Anonymous Coward · · Score: 0

      Well, actually, a service to check if someone else is sleeping with the same member of the appropriate sex as us would be VERY useful... you don't have a problem with posting full name, age, and other identifying info for all you sex partners to the web, do you?

    2. Re:Google by AutopsyReport · · Score: 1

      Not when my sexual history can be summed up in a four-letter word: NULL.

      --

      For he today that sheds his blood with me shall be my brother.

    3. Re:Google by AugustZephyr · · Score: 1

      You and the rest of the /. community. This is gonna kill my karma.

  6. Google's Fault? How about FF? by EveryNickIsTaken · · Score: 5, Insightful

    "This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar." So, the antiphishing toolbar is submitting full URL's without stripping them of uids/pwds/hashes. Sounds like both FF and Google are to blame for this one.

    1. Re:Google's Fault? How about FF? by Jherek+Carnelian · · Score: 1

      "This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar."

      What internal antiphishing toolbar? I use firefox 2.0 and the only toolbars listed on View->Toolbars are Navigation and Bookmarks.

    2. Re:Google's Fault? How about FF? by Anonymous Coward · · Score: 0

      It's not a toolbar. It's under Help, and it's called "Report Web Forgery" and it sends the URL to Google. The ENTIRE URL with no filtering, at least in my checks.

    3. Re:Google's Fault? How about FF? by Anonymous Coward · · Score: 0
      Since you have people doubting on you, I can prove Firefox doesn't strip anything from the URL.

      Unzip the file "content/browser/safebrowsing/sb-loader.js" from "chrome/browser.jar" in your Firefox directory. This contains the file that handles submitting URLs to Google. It's in the core Firefox distribution, and Bonsai clearly fingers Firefox as adding it so the blame lies completely with Firefox.

      (Or you can just use their online code browser.)

      Anyway, search for "getReportPhishingURL" - this is the URL phishing reports are sent to. Note the following lines:

      var pageUrl = getBrowser().currentURI.asciiSpec;
      reportUrl += "&url=" + encodeURIComponent(pageUrl);
      Those two lines add the current URL of the currently active page DIRECTLY without modifying it at all.

      So, yes, Firefox doesn't do ANY URL filtering at all, and this can be verified by checking the code base.
    4. Re:Google's Fault? How about FF? by Original+Replica · · Score: 1

      Does anyone know of a toolbar that hasn't eventually been the source of a problem? In the past past I would have said Google toolbar, but now I'm not so sure.

      --
      We are all just people.
  7. Big deal.. by madhatter256 · · Score: 1

    This kinda is a big deal. Imagine all the customers of Bank of America, Suntrust, Citibank, and Wachovia who are constantly reporting to google whenever they come across a phishing site. Dyslexic still continue in reporting fishing.com to google *sigh*.

    --
    Previewing comments are for sissies!
  8. Truth about phishing by fatnicky · · Score: 2, Insightful

    We only comment about the jerks who phish for one reason.

    We didn't think of it first.

    --
    Free childcare classifieds: www.carebrite.com
    1. Re:Truth about phishing by flyingfsck · · Score: 1

      Give a man a phish and he has one credit card to misuse.
      Teach a man how to phish and he has unlimited credit for life...

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
    2. Re:Truth about phishing by FooAtWFU · · Score: 3, Interesting

      Whatever we you are talking about, I do not wish to be a member of it. Thank you.

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
    3. Re:Truth about phishing by StikyPad · · Score: 1

      We concur.

      --
      https://www.eff.org/https-everywhere
    4. Re:Truth about phishing by NZBeeMan · · Score: 1

      Give a man a phish and feed him for a day...
      Teach a man how to phish and he will sit in a boat and drink beer all day.

  9. What I do... by Anonymous Coward · · Score: 0
    is disable all this do no evil^w^w^w privacy reducing bloat. Try the fixing the following mis-features by setting them to booleen false in about:config.

    browser.safebrowsing.enabled false
    browser.search.suggest.enabled false
    network.prefetch-next false
    I also disable javascript but that's apparently because "I'm weird".
  10. Don't worry, a patch is out already by Anonymous Coward · · Score: 0

    You can get it here

  11. Google Safe Browsing by Anonymous Coward · · Score: 0

    this blog was posted to the full-disclosure list a couple days ago...has a lot more on the technical details of google's phishing protection and firefox:

    http://jon.oberheide.org/blog/2006/11/13/google-sa fe-browsing/

  12. Shitty Web Programmers by Anonymous Coward · · Score: 0

    Why is this googles fault? Try blaming the retarts that use the URL parameters for username and password.... Come on that's web programming 101...

    1. Re:Shitty Web Programmers by Anonymous Coward · · Score: 0

      It is retard .

      "Retart" sounds like you gave somebody another round of dessert.

  13. Speaking of Shitty Programmers by Anonymous Coward · · Score: 0

    http://portal.spidynamics.com/blogs/spilabs/archiv e/2006/12/19/IE7-_2D00_-Phishing-vs.-Privacy.aspx

    http://www.webappsec.org/lists/websecurity/archive /2006-12/msg00100.html

  14. Do not use such a bloated browsers then by AnnuitCoeptis · · Score: 0, Offtopic

    Recetly, I've found out that I don't have a web browser that is not threatened by some nasty bugs or exploits. So after a long research I've found "Offbyone" browser, and it rulez. Website loading is -rapid- compared to anything outthere. No Web2.0 spyware.. no problems.

    And did you notice how slow those Web2.0 sites are? The usability went from 4/5 to 2/5 with all those _web 2.0_ upgrades. There is nothing I was missing with old Slashdot, old Yahoo! messageboars or old Digg. All those sites were better under the old scheme and faster. Now you can play Doom in the browser right? Wrong, I play Doom on my XBox360 Live Arcade not in the _web 2.0_ bloated browser.

    1. Re:Do not use such a bloated browsers then by Anonymous Coward · · Score: 0

      Is this a troll? Off by one is 1. windows only and 2. only supports HTML 3.2

      An aspiring elitist prick like you should at least have the decency to use XSmiles ;-)

  15. Do no evil by Robert+Goatse · · Score: 1, Insightful

    Let's get all of the Google nuthuggers out of the woodwork to defend their g00gl3!!!11 Now, if it was Microsoft on the other hand, they would be skewered to no end for a SNAFU such as this.

    1. Re:Do no evil by creativeHavoc · · Score: 1

      Well if you actually read the comments above instead of going straight to complaining you would see the posts are all pretty much jokes, or people blaming google (or firefox too)

      --
      insight through the mind
  16. This is just a "long range" anti-phishing plan! by Anonymous Coward · · Score: 0

    ...I mean, if you publish the information nobody has to phish for it. Sooner or later, all those phishing "skills" will atrophy, and there'll be no more phishing!

  17. Google found a whole year of JIATF emails! by Anonymous Coward · · Score: 0

    This was a few years ago.
    To, from, and subject only, but it was still pretty interesting because you could tell who had been distracted at work.

  18. Blame Dynamic DNS Services by Anonymous Coward · · Score: 0

    When reviewing stats of how many offences are committed using a straight IP address followed by a typical website secure address, I would say Point the finger the other direction at these DDNS services that do no verification of what content they are allowing these fly by night websites to host.

    When is the last time you received an email stating to update your bank info at 255.255.255.255.securebanking.BankOfAmerica.com/Lo gin/aseer223as/index.jsp or any other phishing scam? To be honest I haven't seen on in my inbox in 2-3 years.

    On the other hand I almost weekly see phishing emails for sec.tw.seurebanking.BankOfAmerica.com/Login/aseer2 23as/index.jsp which makes it a lot harder to notice over the earlier scams.

    Why hasn't the governments of this 21st century world recognized that we are a Computer born society and that if immoral acts of theft are occurring that we need to make the individuals responsible for allowing such a simple act of theft to be prosecuted. I say fry ddns.au, ddns.com.au, dyndns.com and all the like of them for failing to provide some sort of safe guard of abuse of their services. How difficult would it be to add webpage crawling to any DDNS service before allowing the registration of the hosts IP? Scan the hosts pages compare them to a listed of registered banking/brokerage/retail/government pages and if they have offending content immediately notify law enforcement and the ISP.

    Internet is born of Free Speech and the like but Free never meant $Free$.

    1. Re:Blame Dynamic DNS Services by iago-vL · · Score: 1
      255.255.255.255.securebanking.BankOfAmerica.com/Lo gin/aseer223as/index.jsp
      sec.tw.seurebanking.BankOfAmerica.com/Login/aseer2 23as/index.jsp

      Correct me if I'm wrong, but wouldn't both of those be controlled by "BankOfAmerica.com"? Unless the spaces are somehow significant..

      --
      http://www.skullsecurity.org/blog/
    2. Re:Blame Dynamic DNS Services by Anonymous Coward · · Score: 0

      Minor error on my keyboarding.... The arguement is not about my typing ability it is about the responsibility of the DDNS services.

      URLS should have been:
        255.255.225.255/banking_URL_posted_here
        sec.au/banking_URL_Posted_Here

  19. Quick! by thanksforthecrabs · · Score: 4, Funny

    Switch to Internet Explorer 7!

    1. Re:Quick! by RzUpAnmsCwrds · · Score: 1

      IE7 strips GET data (anything after the ?) from the pages you check, so this kind of thing doesn't happen.

      The funny thing is that there was an article about this on IEBlog months ago - I'm amazed that Google didn't do this.

  20. Ruining the very pants I was returning... by Anonymous Coward · · Score: 0
    Somehow this story with Google spyw^H^H^H phis^H^H^H antiphishing blacklist reminds me of...

    ELAINE: Would you please just get on with the stupid Bob Saccamano story?!

    KRAMER: Well, I'm on the phone with Bob, and I realize right then and there that I need to return this pair of pants. So, I'm off to the store.

    ELAINE: What happened to Bob Saccamano?

    KRAMER: Well, nothing. His part of the story is done. (Elaine covers her face with her hands - showing her difficulty coping with Kramer) So I'm waiting for the subway, It's not coming, so I decided to hoof it through the tunnel.

    ELAINE: Alright, well, now that's something..

    KRAMER: Well, I don't know if I lost track of time - or what, but the next think I knew..

    ELAINE: (Adding) A train is bearing down on you?!

    KRAMER: No, I slipped - and fell in the mud. Ruining the very pants I was about to return.

    ELAINE: (Reflects on the story) I don't understand.. you were wearing the pants you were returning?

    KRAMER: Well, I guess I was...
  21. Tell me it isn't so... by jo42 · · Score: 0, Flamebait

    The Great Google, with its thousands of very highly educated people accidentally releasing private information? Tell me that it just isn't so. What happened to "Do No Evil"? And are those highly educated people that can run and pass The Great Google Hiring Gauntlet no so smart after all?? Tell me that it just isn't so... :-p

  22. Antiphishing is really click-tracking by Statecraftsman · · Score: 1

    Does anyone know what limits are placed on the urls that are sent to Google(and with IE7 Microsoft)? I figure that if these companies wanted to they could use all these urls to piece together what the most popular search results should be for any query. Even if these companies could not do this, a community-based, properly anonymizing service could almost replace any search engine on the planet by tracking what keywords lead to what websites people click on. Has anyone heard of this idea or has it been shot down for some other reason besides the privacy concerns?

    1. Re:Antiphishing is really click-tracking by Anonymous Coward · · Score: 0

      MS strips the URL: http://blogs.msdn.com/ie/archive/2005/09/09/463204 .aspx and http://blogs.msdn.com/ie/archive/2005/08/31/458663 .aspx

      Phishing Filter does not check every URL on the Microsoft server. It only sends those which are not on a known list of OK sites or those that appear suspicious based on heuristics. If an URL is checked on the Microsoft server, first the URL is stripped down to the path to help remove personal information, then the remaining URL is sent over a secure SSL connection. The communication with the Microsoft server is done asynchronously so that there is little to no effect on your browsing experience.

      So, for example, if you were to visit http://www.msn.com/ nothing will be checked on the Microsoft server because "msn.com" and other major websites are on the client-side list of OK sites. However, let's say the URL looked like this: http://207.68.172.246/result.aspx?u=Tariq&p=Tariq' sPassword, in this scenario phishing filter will remove the query string to help protect my privacy but it will send "http://207.68.172.246/result.aspx" to be checked by the Microsoft Server because 207.68.172.246 is not on the allow list of OK sites. As it turns out, 207.68.172.246 is just the IP address of MSN.com server, so its not a phishing site but this example should help you understand more about how Phishing Filter checks sites on the server.

    2. Re:Antiphishing is really click-tracking by Statecraftsman · · Score: 1

      That's good to know...I still think it'd be cool if there was some way to build a search engine based on anonymized click info from clients. Too bad, the useful data in such a scenario has the potential to identify the user. There's got to be a way to do it and make the database publicly available so it can be audited. Maybe only capture the first click from any results page and strip out the personally identifiable info in a url in a custom way for each url. The only thing missing then would be the marketing for a search engine nobody owns.

  23. Nice spin by Anonymous Coward · · Score: 0

    "... few user names... minor lapse... "

    Can you imagine what the /. story would say if, say, Microsoft or Sony had screwed up like this?

  24. Oops! by Phusion0 · · Score: 1

    Sorry!

    --
    Smokedot.org
  25. Let me get this straight by iabervon · · Score: 4, Insightful

    Okay, so people are accidentally sending Google URLs with their usernames and passwords in them, and Google is then reporting this information to whoever cares.

    But the URLs people are submitting are URLs of sites they think are phishing sites. People are effectively saying, "I think this site stole my password, which is 12345." Okay, so maybe Google shouldn't widely distribute this accidentally-disclosed information, but... how much do you care about whether the general public can see your password, when you've already provided it to somebody who was actually trying to collect it for presumably nefarious purposes? Surely these passwords have been changed, right? Right?

  26. Re:rgerer by Anonymous Coward · · Score: 0

    This is off-topic, and if you want to mod me as such then waste your points, but seriously, why can't these "first posts" that are basically piles of shit not just automatically removed? Not that it takes much time to skip over reading it, but the level of care associated with these comments by the administrators is so non-existent that they will just KEEP HAPPENING until something is done about it!

  27. Missing the Interesting Part of the Story by Dotnaught · · Score: 4, Informative
    The most interesting aspect of the story is that Google's auto-suggestion code will suggest a social security number search keyed to a specific person and that the Google engineers were unaware of this possibility. In other words, if you search for your name and social security number enough times, someone else searching on your name might get a search suggestion that included the social security number you entered (if you did it a lot).

    In fact, Google is downright helpful when it comes to finding Social Security numbers: In one case -- and it may be the only one -- Google will identify an individual whose Social Security number has been posted online, thanks to a feature in the Google Toolbar that generates search suggestions based on popular searches. (Evidently, a lot of people have searched for this person's Social Security number.)

    Entering two keywords related to Social Security numbers -- call them "x" and "y" so as not to compound the problem -- into the Google Toolbar will produce a keyword search suggestion in the form "x y John Doe." Selecting the suggested search terms and name, as might be expected, generates a search results page with the named person's Social Security number.


  28. Searching your SSN worked great for AOL users... by patio11 · · Score: 1

    What is my assurance that a "trusted partner" doesn't gain access to "Aggregate search queries with no personally identifying information involved" five years down the line and run grep /[0-9]{3}\-[0-9]{2}\-[0-9]{4}/ against it? Anything that goes into the search hopper is retained, forever, so that Google can use it to tweak their algorithms. Google *has* my credit card number on file (AdWords) and can even access my bank account (Checkout) but these are risks that I can tolerate because presumably they have procedures in place to protect information they KNOW is sensitive and even if they don't my bank has ultimate liability for unauthorized charges. I'm not NEARLY so convinced that they have adequate procedures in place to protect search queries, which most people would assume are probably pretty harmless. (I know they bounced a Justice Department demand to turn over a million random queries once. Bully for their lawyers yesterday, what about their most clueless employee *tomorrow*? AOL posted their queries out of a desire to do good and genuine ignorance about the downside potential, too.)

    Every time I accessed a credit card number on a customer account at an old place of employment there was an audit trail generated and what numbers I was accessing was periodically reviewed against what accounts I had legitimate business servicing. Does Google keep similarly in-depth records about internal/external use of their query data? I don't have confidence that this is the case.

    --
    Help poke pirates in the eyepatch, arr.
  29. Re:rgerer by madcow_bg · · Score: 1

    Well ... without AI it is just impossible to distinguish between troll and off-topic first posts and on-topic fp-s.\
    Besides, if they want to spend their karma this way ... let them do it. Democracy at it's best :).

  30. Re:rgerer by Anonymous Coward · · Score: 0

    Pardon the use of "automatically." I simply meant that, upon an editor seeing the crappy first post, how hard would it be to write a "delete permanently" button and use it?