Friday, September 15, 2006

Google Public Search, Vulnerable to Phishing


Google has a special search service for universities that allows them to create a customized page at google.com/u/name. Eric Farraro managed to use this service to create a Gmail-like login page, by using some simple JavaScript code. Although the page wasn't actually used for phishing (the credentials weren't stored), it was enough for Google to remove the page and temporarily close the registrations for the service.

The page was available at http://google.com/u/gplus and fooled many people that didn't realize the page isn't secured (Google's login uses https) and thought it's a new service from Google.

"Similar 'phishing' sites could be set up at ANY URL. What makes this type of exploit so insidious is that most people would consider the URL to be safe: http://www.google.com/u/gplus. While Google has suffered from similar attacks in the past, most of them have had suspicious URLs, at least to the advanced user. Using the exploit in this service, a malicious attacker could launch phishing sites that even advanced users could fall for," explains the "attacker".

So next time you enter your password on a site, make sure you check the address bar. It's also a good idea to use only secure logins.

No comments:

Post a Comment