Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Antiphishing Site Exposed Private User Data

Posted by kdawson on from the self-phishing dept.

Juha-Matti Laurio writes "Google has removed a few user names and passwords posted inadvertently to a phishing blacklist it compiles and makes publicly available on the Web. This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar. This feature, developed in cooperation with Google, enables users to report potential phishing sites to Google's blacklist database. Google has reportedly implemented a new mechanism detecting login data in submitted URLs to prevent sensitive information from getting posted to the list." The article notes that news of this minor lapse may obscure the ongoing problem of sensitive data exposed on the Web and findable via Google and other search services.

8 of 69 comments (clear)

  1. Never fear! by greginnj · · Score: 4, Funny
    Google has removed a few user names and passwords posted inadvertently to a phishing blacklist it compiles and makes publicly available on the Web.
    Never fear, they're still available on Google Cache :)

    --
    Read the best of all of Slash: seenonslash.com
  2. This is why I don't use a phishing filter by SNR+monkey · · Score: 4, Funny

    Now please excuse me, g00gle.com tells me I need to enter my gmail login, password, and a valid credit card number to unlock my gmail account.

  3. Google by Newfie2005 · · Score: 5, Funny

    "Google also encourages users to use its search engine as a free credit card and Social Security number monitoring service for Web-based content. "We also suggest that individuals create Google Alerts for their credit card and Social Security numbers," the company recommends. "You can be notified once a day or once a week if a new result appears on Google for this query."

    As if google doesn't know enough about us, whats next, check google to see if someone is eating the same meal as you for breakfast?

  4. Google's Fault? How about FF? by EveryNickIsTaken · · Score: 5, Insightful

    "This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar." So, the antiphishing toolbar is submitting full URL's without stripping them of uids/pwds/hashes. Sounds like both FF and Google are to blame for this one.

  5. Re:Why is this just breaking now? by jmazzi · · Score: 4, Insightful

    Well, obviously not everyone is on the mailing list your talking about (including the slashdot editor). This is news to me. Putting it on a site like slashdot will help educate people who weren't already aware.

  6. Quick! by thanksforthecrabs · · Score: 4, Funny

    Switch to Internet Explorer 7!

  7. Let me get this straight by iabervon · · Score: 4, Insightful

    Okay, so people are accidentally sending Google URLs with their usernames and passwords in them, and Google is then reporting this information to whoever cares.

    But the URLs people are submitting are URLs of sites they think are phishing sites. People are effectively saying, "I think this site stole my password, which is 12345." Okay, so maybe Google shouldn't widely distribute this accidentally-disclosed information, but... how much do you care about whether the general public can see your password, when you've already provided it to somebody who was actually trying to collect it for presumably nefarious purposes? Surely these passwords have been changed, right? Right?

  8. Missing the Interesting Part of the Story by Dotnaught · · Score: 4, Informative
    The most interesting aspect of the story is that Google's auto-suggestion code will suggest a social security number search keyed to a specific person and that the Google engineers were unaware of this possibility. In other words, if you search for your name and social security number enough times, someone else searching on your name might get a search suggestion that included the social security number you entered (if you did it a lot).

    In fact, Google is downright helpful when it comes to finding Social Security numbers: In one case -- and it may be the only one -- Google will identify an individual whose Social Security number has been posted online, thanks to a feature in the Google Toolbar that generates search suggestions based on popular searches. (Evidently, a lot of people have searched for this person's Social Security number.)

    Entering two keywords related to Social Security numbers -- call them "x" and "y" so as not to compound the problem -- into the Google Toolbar will produce a keyword search suggestion in the form "x y John Doe." Selecting the suggested search terms and name, as might be expected, generates a search results page with the named person's Social Security number.