Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Antiphishing Site Exposed Private User Data

Posted by kdawson on from the self-phishing dept.

Juha-Matti Laurio writes "Google has removed a few user names and passwords posted inadvertently to a phishing blacklist it compiles and makes publicly available on the Web. This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar. This feature, developed in cooperation with Google, enables users to report potential phishing sites to Google's blacklist database. Google has reportedly implemented a new mechanism detecting login data in submitted URLs to prevent sensitive information from getting posted to the list." The article notes that news of this minor lapse may obscure the ongoing problem of sensitive data exposed on the Web and findable via Google and other search services.

44 of 69 comments (clear)

  1. Why is this just breaking now? by winkydink · · Score: 3, Insightful

    It was discussed on the full-disclosure mailing list 2 weeks ago. If Google is continuing to do this, it's hard for me to see it as anything but irresponsible.

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    1. Re:Why is this just breaking now? by jmazzi · · Score: 4, Insightful

      Well, obviously not everyone is on the mailing list your talking about (including the slashdot editor). This is news to me. Putting it on a site like slashdot will help educate people who weren't already aware.

    2. Re:Why is this just breaking now? by jamietre · · Score: 3, Insightful

      There are websites that manage sensitive information that pass usernames & passwords in the actual URL, and you think Google's irresponsible?

    3. Re:Why is this just breaking now? by charlieman · · Score: 1

      Well you should have send it to /. 2 weeks ago then.

    4. Re:Why is this just breaking now? by sholden · · Score: 1

      Why not read the second paragraph of the article?

      Yes, I must be new here...

    5. Re:Why is this just breaking now? by kalleguld · · Score: 2, Insightful

      Phishing websites. Why should they be careful about the security of the user?

      --
      Sigs are bad for your health
    6. Re:Why is this just breaking now? by jamietre · · Score: 1

      Doh! Of course. Rolling my eyes, at myself...

    7. Re:Why is this just breaking now? by Deanalator · · Score: 1

      The first time I looked at the link that was posted on full disclosure, all the passwords etc were there, but when I checked again the next day they had been removed. I think Google actually did a pretty quick cleanup job cleaning up their mess. The delay is due to the media echo chamber.

      Remember that the full disclosure event was reported to Finjan, who did an analysis. Someone over at information week then wrote an article about this analysis, which was posted yesterday. The slashdot posting is about the information week article.

    8. Re:Why is this just breaking now? by heytal · · Score: 1

      These weren't the real sites, I believe. They were phishing sites, which passed logins and passwords in the URL. The URL's submitted by the users were supposed to be blacklisted, and hence the list was published.

      If the user, before submitting the URL did not check for personal information in the URL, it's that user's problem, and not Google's.

      I think it was pretty smart on behalf of Google to come up with an algorithm to look at the submitted URL, and remove the personal data.

    9. Re:Why is this just breaking now? by jamietre · · Score: 1

      Yes, I got schooled already. Since then I've changed my mind completely: google is not just irresponsible, but pretty stupid for allowing this to happen at all. Why include ANY part of the query string at all? A reference to a phishing web site ought to end with the "?" in the URL. I would think the "algorithm" would just be "ditch anything after the actual location." Even if it didn't occur to them that there might be personal data in the query-string part of the URL, there's no reason to keep any of it in the first place. This just makes the reference to the site more unique and therefore less likely to be matched when someone uses the database.

    10. Re:Why is this just breaking now? by perenaurel · · Score: 1

      i posted a /. comment with a link to this mailing list post a few weeks ago...

  2. Never fear! by greginnj · · Score: 4, Funny
    Google has removed a few user names and passwords posted inadvertently to a phishing blacklist it compiles and makes publicly available on the Web.
    Never fear, they're still available on Google Cache :)

    --
    Read the best of all of Slash: seenonslash.com
  3. Nice by madsheep · · Score: 2, Interesting

    Sounds like we have some sites that are passing persistent username and password information in the URL (not just querystrings etc). That's pretty lame. I think Barracuda SPAM Firewall does this as well. Perhaps one of these days we'll just see applications with a higher level of security and won't have to worry about this so much.

    1. Re:Nice by Nos. · · Score: 1

      Passing strings via POST as opposed to GET is not "secure". Both can be easily sniffed. The only way to do it is to use SSL, in which case, even the GET strings are encrypted.

    2. Re:Nice by madsheep · · Score: 1

      SSL has nothing to do with it though if it's a GET or persisting URL. It can be encrypted all it wants to be to and from the server, but doesn't mean it cannot be picked up as a phishing site..unless the anti-phishing URL checker breaks because it's preceded by https.

    3. Re:Nice by lukas84 · · Score: 2, Insightful

      You are right, but that's not the point.

      URLs are commonly copy and pasted, submitted to other sites, can be read in the browser history, in proxy logs, etc.

      Of course, you can configure a proxy to log POST data, but this is beside the point. This is about preventing unintended duplication of sensitive data, not actual attacks.

    4. Re:Nice by Anonymous Coward · · Score: 2, Insightful

      Sounds like we have some sites that are passing persistent username and password information in the URL (not just querystrings etc). That's pretty lame.

      That's quite an understatement. Doing that not only causes problems like this, it also discloses your username and password to a) anybody with access to a proxy log (it's easier to get hold of that than root the proxy to sniff the traffic) and b) any website you navigate to directly from the braindead website (since the URI, including the username and password, will be sent to the new website in the Referer HTTP header).

    5. Re:Nice by Cally · · Score: 1

      or encrypt the data on the server side before sending it back to the client (via a cookie by preference. You can't bookmark a cookie ;)

      --
      "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
    6. Re:Nice by Nos. · · Score: 1

      But how does the data get to the server in the first place. If its not encrypted from step one, its not secure.

  4. This is why I don't use a phishing filter by SNR+monkey · · Score: 4, Funny

    Now please excuse me, g00gle.com tells me I need to enter my gmail login, password, and a valid credit card number to unlock my gmail account.

  5. Google by Newfie2005 · · Score: 5, Funny

    "Google also encourages users to use its search engine as a free credit card and Social Security number monitoring service for Web-based content. "We also suggest that individuals create Google Alerts for their credit card and Social Security numbers," the company recommends. "You can be notified once a day or once a week if a new result appears on Google for this query."

    As if google doesn't know enough about us, whats next, check google to see if someone is eating the same meal as you for breakfast?

    1. Re:Google by AutopsyReport · · Score: 1

      Not when my sexual history can be summed up in a four-letter word: NULL.

      --

      For he today that sheds his blood with me shall be my brother.

    2. Re:Google by AugustZephyr · · Score: 1

      You and the rest of the /. community. This is gonna kill my karma.

  6. Google's Fault? How about FF? by EveryNickIsTaken · · Score: 5, Insightful

    "This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar." So, the antiphishing toolbar is submitting full URL's without stripping them of uids/pwds/hashes. Sounds like both FF and Google are to blame for this one.

    1. Re:Google's Fault? How about FF? by Jherek+Carnelian · · Score: 1

      "This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar."

      What internal antiphishing toolbar? I use firefox 2.0 and the only toolbars listed on View->Toolbars are Navigation and Bookmarks.

    2. Re:Google's Fault? How about FF? by Original+Replica · · Score: 1

      Does anyone know of a toolbar that hasn't eventually been the source of a problem? In the past past I would have said Google toolbar, but now I'm not so sure.

      --
      We are all just people.
  7. Big deal.. by madhatter256 · · Score: 1

    This kinda is a big deal. Imagine all the customers of Bank of America, Suntrust, Citibank, and Wachovia who are constantly reporting to google whenever they come across a phishing site. Dyslexic still continue in reporting fishing.com to google *sigh*.

    --
    Previewing comments are for sissies!
  8. Truth about phishing by fatnicky · · Score: 2, Insightful

    We only comment about the jerks who phish for one reason.

    We didn't think of it first.

    --
    Free childcare classifieds: www.carebrite.com
    1. Re:Truth about phishing by flyingfsck · · Score: 1

      Give a man a phish and he has one credit card to misuse.
      Teach a man how to phish and he has unlimited credit for life...

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
    2. Re:Truth about phishing by FooAtWFU · · Score: 3, Interesting

      Whatever we you are talking about, I do not wish to be a member of it. Thank you.

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
    3. Re:Truth about phishing by StikyPad · · Score: 1

      We concur.

      --
      https://www.eff.org/https-everywhere
    4. Re:Truth about phishing by NZBeeMan · · Score: 1

      Give a man a phish and feed him for a day...
      Teach a man how to phish and he will sit in a boat and drink beer all day.

  9. Do no evil by Robert+Goatse · · Score: 1, Insightful

    Let's get all of the Google nuthuggers out of the woodwork to defend their g00gl3!!!11 Now, if it was Microsoft on the other hand, they would be skewered to no end for a SNAFU such as this.

    1. Re:Do no evil by creativeHavoc · · Score: 1

      Well if you actually read the comments above instead of going straight to complaining you would see the posts are all pretty much jokes, or people blaming google (or firefox too)

      --
      insight through the mind
  10. Quick! by thanksforthecrabs · · Score: 4, Funny

    Switch to Internet Explorer 7!

    1. Re:Quick! by RzUpAnmsCwrds · · Score: 1

      IE7 strips GET data (anything after the ?) from the pages you check, so this kind of thing doesn't happen.

      The funny thing is that there was an article about this on IEBlog months ago - I'm amazed that Google didn't do this.

  11. Re:Blame Dynamic DNS Services by iago-vL · · Score: 1
    255.255.255.255.securebanking.BankOfAmerica.com/Lo gin/aseer223as/index.jsp
    sec.tw.seurebanking.BankOfAmerica.com/Login/aseer2 23as/index.jsp

    Correct me if I'm wrong, but wouldn't both of those be controlled by "BankOfAmerica.com"? Unless the spaces are somehow significant..

    --
    http://www.skullsecurity.org/blog/
  12. Antiphishing is really click-tracking by Statecraftsman · · Score: 1

    Does anyone know what limits are placed on the urls that are sent to Google(and with IE7 Microsoft)? I figure that if these companies wanted to they could use all these urls to piece together what the most popular search results should be for any query. Even if these companies could not do this, a community-based, properly anonymizing service could almost replace any search engine on the planet by tracking what keywords lead to what websites people click on. Has anyone heard of this idea or has it been shot down for some other reason besides the privacy concerns?

    1. Re:Antiphishing is really click-tracking by Statecraftsman · · Score: 1

      That's good to know...I still think it'd be cool if there was some way to build a search engine based on anonymized click info from clients. Too bad, the useful data in such a scenario has the potential to identify the user. There's got to be a way to do it and make the database publicly available so it can be audited. Maybe only capture the first click from any results page and strip out the personally identifiable info in a url in a custom way for each url. The only thing missing then would be the marketing for a search engine nobody owns.

  13. Oops! by Phusion0 · · Score: 1

    Sorry!

    --
    Smokedot.org
  14. Let me get this straight by iabervon · · Score: 4, Insightful

    Okay, so people are accidentally sending Google URLs with their usernames and passwords in them, and Google is then reporting this information to whoever cares.

    But the URLs people are submitting are URLs of sites they think are phishing sites. People are effectively saying, "I think this site stole my password, which is 12345." Okay, so maybe Google shouldn't widely distribute this accidentally-disclosed information, but... how much do you care about whether the general public can see your password, when you've already provided it to somebody who was actually trying to collect it for presumably nefarious purposes? Surely these passwords have been changed, right? Right?

  15. Missing the Interesting Part of the Story by Dotnaught · · Score: 4, Informative
    The most interesting aspect of the story is that Google's auto-suggestion code will suggest a social security number search keyed to a specific person and that the Google engineers were unaware of this possibility. In other words, if you search for your name and social security number enough times, someone else searching on your name might get a search suggestion that included the social security number you entered (if you did it a lot).

    In fact, Google is downright helpful when it comes to finding Social Security numbers: In one case -- and it may be the only one -- Google will identify an individual whose Social Security number has been posted online, thanks to a feature in the Google Toolbar that generates search suggestions based on popular searches. (Evidently, a lot of people have searched for this person's Social Security number.)

    Entering two keywords related to Social Security numbers -- call them "x" and "y" so as not to compound the problem -- into the Google Toolbar will produce a keyword search suggestion in the form "x y John Doe." Selecting the suggested search terms and name, as might be expected, generates a search results page with the named person's Social Security number.


  16. Searching your SSN worked great for AOL users... by patio11 · · Score: 1

    What is my assurance that a "trusted partner" doesn't gain access to "Aggregate search queries with no personally identifying information involved" five years down the line and run grep /[0-9]{3}\-[0-9]{2}\-[0-9]{4}/ against it? Anything that goes into the search hopper is retained, forever, so that Google can use it to tweak their algorithms. Google *has* my credit card number on file (AdWords) and can even access my bank account (Checkout) but these are risks that I can tolerate because presumably they have procedures in place to protect information they KNOW is sensitive and even if they don't my bank has ultimate liability for unauthorized charges. I'm not NEARLY so convinced that they have adequate procedures in place to protect search queries, which most people would assume are probably pretty harmless. (I know they bounced a Justice Department demand to turn over a million random queries once. Bully for their lawyers yesterday, what about their most clueless employee *tomorrow*? AOL posted their queries out of a desire to do good and genuine ignorance about the downside potential, too.)

    Every time I accessed a credit card number on a customer account at an old place of employment there was an audit trail generated and what numbers I was accessing was periodically reviewed against what accounts I had legitimate business servicing. Does Google keep similarly in-depth records about internal/external use of their query data? I don't have confidence that this is the case.

    --
    Help poke pirates in the eyepatch, arr.
  17. Re:rgerer by madcow_bg · · Score: 1

    Well ... without AI it is just impossible to distinguish between troll and off-topic first posts and on-topic fp-s.\
    Besides, if they want to spend their karma this way ... let them do it. Democracy at it's best :).