Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Antiphishing Site Exposed Private User Data

Posted by kdawson on from the self-phishing dept.

Juha-Matti Laurio writes "Google has removed a few user names and passwords posted inadvertently to a phishing blacklist it compiles and makes publicly available on the Web. This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar. This feature, developed in cooperation with Google, enables users to report potential phishing sites to Google's blacklist database. Google has reportedly implemented a new mechanism detecting login data in submitted URLs to prevent sensitive information from getting posted to the list." The article notes that news of this minor lapse may obscure the ongoing problem of sensitive data exposed on the Web and findable via Google and other search services.

5 of 69 comments (clear)

  1. Why is this just breaking now? by winkydink · · Score: 3, Insightful

    It was discussed on the full-disclosure mailing list 2 weeks ago. If Google is continuing to do this, it's hard for me to see it as anything but irresponsible.

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    1. Re:Why is this just breaking now? by jmazzi · · Score: 4, Insightful

      Well, obviously not everyone is on the mailing list your talking about (including the slashdot editor). This is news to me. Putting it on a site like slashdot will help educate people who weren't already aware.

    2. Re:Why is this just breaking now? by jamietre · · Score: 3, Insightful

      There are websites that manage sensitive information that pass usernames & passwords in the actual URL, and you think Google's irresponsible?

  2. Google's Fault? How about FF? by EveryNickIsTaken · · Score: 5, Insightful

    "This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar." So, the antiphishing toolbar is submitting full URL's without stripping them of uids/pwds/hashes. Sounds like both FF and Google are to blame for this one.

  3. Let me get this straight by iabervon · · Score: 4, Insightful

    Okay, so people are accidentally sending Google URLs with their usernames and passwords in them, and Google is then reporting this information to whoever cares.

    But the URLs people are submitting are URLs of sites they think are phishing sites. People are effectively saying, "I think this site stole my password, which is 12345." Okay, so maybe Google shouldn't widely distribute this accidentally-disclosed information, but... how much do you care about whether the general public can see your password, when you've already provided it to somebody who was actually trying to collect it for presumably nefarious purposes? Surely these passwords have been changed, right? Right?