Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Antiphishing Site Exposed Private User Data

Posted by kdawson on from the self-phishing dept.

Juha-Matti Laurio writes "Google has removed a few user names and passwords posted inadvertently to a phishing blacklist it compiles and makes publicly available on the Web. This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar. This feature, developed in cooperation with Google, enables users to report potential phishing sites to Google's blacklist database. Google has reportedly implemented a new mechanism detecting login data in submitted URLs to prevent sensitive information from getting posted to the list." The article notes that news of this minor lapse may obscure the ongoing problem of sensitive data exposed on the Web and findable via Google and other search services.

16 of 69 comments (clear)

  1. Why is this just breaking now? by winkydink · · Score: 3, Insightful

    It was discussed on the full-disclosure mailing list 2 weeks ago. If Google is continuing to do this, it's hard for me to see it as anything but irresponsible.

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    1. Re:Why is this just breaking now? by jmazzi · · Score: 4, Insightful

      Well, obviously not everyone is on the mailing list your talking about (including the slashdot editor). This is news to me. Putting it on a site like slashdot will help educate people who weren't already aware.

    2. Re:Why is this just breaking now? by jamietre · · Score: 3, Insightful

      There are websites that manage sensitive information that pass usernames & passwords in the actual URL, and you think Google's irresponsible?

    3. Re:Why is this just breaking now? by kalleguld · · Score: 2, Insightful

      Phishing websites. Why should they be careful about the security of the user?

      --
      Sigs are bad for your health
  2. Never fear! by greginnj · · Score: 4, Funny
    Google has removed a few user names and passwords posted inadvertently to a phishing blacklist it compiles and makes publicly available on the Web.
    Never fear, they're still available on Google Cache :)

    --
    Read the best of all of Slash: seenonslash.com
  3. Nice by madsheep · · Score: 2, Interesting

    Sounds like we have some sites that are passing persistent username and password information in the URL (not just querystrings etc). That's pretty lame. I think Barracuda SPAM Firewall does this as well. Perhaps one of these days we'll just see applications with a higher level of security and won't have to worry about this so much.

    1. Re:Nice by lukas84 · · Score: 2, Insightful

      You are right, but that's not the point.

      URLs are commonly copy and pasted, submitted to other sites, can be read in the browser history, in proxy logs, etc.

      Of course, you can configure a proxy to log POST data, but this is beside the point. This is about preventing unintended duplication of sensitive data, not actual attacks.

    2. Re:Nice by Anonymous Coward · · Score: 2, Insightful

      Sounds like we have some sites that are passing persistent username and password information in the URL (not just querystrings etc). That's pretty lame.

      That's quite an understatement. Doing that not only causes problems like this, it also discloses your username and password to a) anybody with access to a proxy log (it's easier to get hold of that than root the proxy to sniff the traffic) and b) any website you navigate to directly from the braindead website (since the URI, including the username and password, will be sent to the new website in the Referer HTTP header).

  4. This is why I don't use a phishing filter by SNR+monkey · · Score: 4, Funny

    Now please excuse me, g00gle.com tells me I need to enter my gmail login, password, and a valid credit card number to unlock my gmail account.

  5. Google by Newfie2005 · · Score: 5, Funny

    "Google also encourages users to use its search engine as a free credit card and Social Security number monitoring service for Web-based content. "We also suggest that individuals create Google Alerts for their credit card and Social Security numbers," the company recommends. "You can be notified once a day or once a week if a new result appears on Google for this query."

    As if google doesn't know enough about us, whats next, check google to see if someone is eating the same meal as you for breakfast?

  6. Google's Fault? How about FF? by EveryNickIsTaken · · Score: 5, Insightful

    "This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar." So, the antiphishing toolbar is submitting full URL's without stripping them of uids/pwds/hashes. Sounds like both FF and Google are to blame for this one.

  7. Truth about phishing by fatnicky · · Score: 2, Insightful

    We only comment about the jerks who phish for one reason.

    We didn't think of it first.

    --
    Free childcare classifieds: www.carebrite.com
    1. Re:Truth about phishing by FooAtWFU · · Score: 3, Interesting

      Whatever we you are talking about, I do not wish to be a member of it. Thank you.

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
  8. Quick! by thanksforthecrabs · · Score: 4, Funny

    Switch to Internet Explorer 7!

  9. Let me get this straight by iabervon · · Score: 4, Insightful

    Okay, so people are accidentally sending Google URLs with their usernames and passwords in them, and Google is then reporting this information to whoever cares.

    But the URLs people are submitting are URLs of sites they think are phishing sites. People are effectively saying, "I think this site stole my password, which is 12345." Okay, so maybe Google shouldn't widely distribute this accidentally-disclosed information, but... how much do you care about whether the general public can see your password, when you've already provided it to somebody who was actually trying to collect it for presumably nefarious purposes? Surely these passwords have been changed, right? Right?

  10. Missing the Interesting Part of the Story by Dotnaught · · Score: 4, Informative
    The most interesting aspect of the story is that Google's auto-suggestion code will suggest a social security number search keyed to a specific person and that the Google engineers were unaware of this possibility. In other words, if you search for your name and social security number enough times, someone else searching on your name might get a search suggestion that included the social security number you entered (if you did it a lot).

    In fact, Google is downright helpful when it comes to finding Social Security numbers: In one case -- and it may be the only one -- Google will identify an individual whose Social Security number has been posted online, thanks to a feature in the Google Toolbar that generates search suggestions based on popular searches. (Evidently, a lot of people have searched for this person's Social Security number.)

    Entering two keywords related to Social Security numbers -- call them "x" and "y" so as not to compound the problem -- into the Google Toolbar will produce a keyword search suggestion in the form "x y John Doe." Selecting the suggested search terms and name, as might be expected, generates a search results page with the named person's Social Security number.