Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Public Service Search Makes for Easy Phishing

Zonk posted more than 8 years ago | from the watch-where-you-search dept.

40

lisah writes "According to reports at NewsForge this morning, Developer Eric Farraro has discovered a potential hole in Google's Public Search Service that may leave the door wide open for phishing scams. The Public Search Service, designed to allow universities and other non-profit institutions to add Google search capabilities to their websites, provides code that allows website developers to customize the header and footer of the search results page. Handy (and malicious) coders can manipulate the headers and footers to create what looks like a Google sign-in page and then collect the login names and passwords of unsuspecting users." NewsForge and Slashdot are both owned by OSTG.

cancel ×

40 comments

Sorry! There are no comments related to the filter you selected.

report them (1, Funny)

gEvil (beta) (945888) | more than 8 years ago | (#16114352)

Quick, someone report them to stopbadware.org!

Article notes... (1)

DarkShadeChaos (954173) | more than 8 years ago | (#16114376)

to be cautious when signing in to any google services with '/u/servicename ' in the url. I can see how this could be potentially bad; even people checking to see if it was google.com in the address bar would not see anything to merit phishing.

Re:Article notes... (3, Informative)

russ1337 (938915) | more than 8 years ago | (#16114868)

So how is their exploit any different from a sysadmin changing the DNS table on his server and presenting a page to the internal network that 'looks like google' and even has 'www.google.com/ig' (or a bank, ebay etc)? Isnt this why we have 'trusted websites/verisign etc... ?

Give a man a fish... (3, Funny)

Kenja (541830) | more than 8 years ago | (#16114384)

Give a man a fish and he can eat for one day, teach a man to phish and he can anoy millions of people for the rest of his (hopfully short) life.

(Sigh) Its all rather depressing realy. After having the same domain and email address for ten years my spam to real mail ratio is about 500:1 and I can find my email address on decade old usenet posts via Google.

Re:Give a man a fish... (4, Funny)

AugustZephyr (989775) | more than 8 years ago | (#16115390)

On a simliar note....
Build a man a fire and keep him warm for a night. Set a man on fire and you will keep him warm for the rest of his life.

Any major web service has this non-issue (2, Insightful)

mounthood (993037) | more than 8 years ago | (#16114411)

If you make a Yahoo! Store that looks like Yahoo mail ... or an MSN page that looks like hotmail ...

Of course (1)

NineNine (235196) | more than 8 years ago | (#16115638)

Of course you're right. What it boils down to is the Net is filled to the brim with scams, cons, (bad) hackers, etc., and there's absolutely nothing to stop them. Net crime is absolutely rampant, and there's virtually no law enforcement agency that can do anything about it.
Personally, I think it's going to get so bad that all online commerce is going to grind to a halt either because of scared customers, or because companies' litigation costs.

Re:Of course (1)

John Hasler (414242) | more than 8 years ago | (#16150506)

> Net crime is absolutely rampant, and there's virtually no law enforcement
> agency that can do anything about it.

_Will_ do anything about it.

Not a google issue... (1, Interesting)

cosinezero (833532) | more than 8 years ago | (#16114412)

That's not a hole in google's code. Any website coder can code up a phishing page that looks legit. Where is this Google's security issue?

Re:Not a google issue... (5, Insightful)

dontbflat (994444) | more than 8 years ago | (#16114447)

Its google's issue because they are HOSTING it. If they werent hosting the code, then fine. But they are and thats where the problem lies.

Re:Not a google issue... (1)

dancingyel (981935) | more than 8 years ago | (#16114552)

That, and the URL looks deceptively legit.

Re:Not a google issue... (1, Informative)

Anonymous Coward | more than 8 years ago | (#16114466)

It sure is. The header and footer are hosted at google. So the malicious javascript that clears the innerHTML of the page can then be set to look like a different google login prompt, or anything for that matter, and the form data captured and posted to anywhere. Basicaly, it's an issue because the javascript to do the harm exists at google, because the offender can put it there. Google needs to make it so javascript cannot be used in the footer and header that is customized. Quite simple to fix really.

Bottom line, quote: "avoid providing your Google credentials to any Google services with the /u/servicename construction."

Re:Not a google issue... (4, Insightful)

Infinityis (807294) | more than 8 years ago | (#16114535)

The problem is that usually people can type in the URL from a suspicious looking email and prevent phishing attacks. In this case, typing in the URL took to you precisely the same site. All the anti-phishing advice you've been giving your family and friends would prove useless under these circumstances.

Re:Not a google issue... (2, Interesting)

fmobus (831767) | more than 8 years ago | (#16117191)

The security issue is not the design that looks legit. The issue is that the code is actually hosted at a Google Domain, thus being able to read Google.com cookies. This could mean some nasty attacks: if the injected javascript is allowed to read your gmail session cookies, for example, the attacker will be able to spoof your session, and steal your account. The other issue is that most users are "trained" to trust anything coming from a "www.google.com" domain.
This is really bad. I hope google put this service down until they solve the problem (ie. not allowing javascript nor "evil" css). Maybe some templating language or XML/XLST hacks instead of full blown HTML.

Try the address.... (3, Insightful)

dontbflat (994444) | more than 8 years ago | (#16114424)

And you find that the google www.google.com/u/gplus doesnt work now. I'll say one thing. They sure are quick. Now they should just put those search results in an IFRAME that you cant change like the adsense code.

People always are looking for new ways to get user/pass from unsuspecting users. The internet is used to hurt the ignorant. I just hope I wont fall into such a good looking trap.

Re:Try the address.... (1)

Kenja (541830) | more than 8 years ago | (#16114442)

"And you find that the google www.google.com/u/gplus doesnt work now."

Wonder if Google has a cache of the page for us to look at.

I love you, Gooooogle (2, Funny)

Frankie70 (803801) | more than 8 years ago | (#16114956)


And you find that the google www.google.com/u/gplus doesnt work now. I'll say one thing. They sure are quick.


How the hell did they manage that gazillion man hours work of disabling a webpage & then testing the fix
of disabling the webpage so quickly.

I bet everyone right from the top to botton at Google must have been working non-stop on
disabling this webpage.

Anyway, Kudos & three cheers to Google on disabling this so quickly.
They surely are amazing. Who knows, maybe they even hired a few thousand extra temporary workers
also to work on disabling this webpage. What a great company.

I love you, Gooooogle

We're spoiled (1)

sunny256 (448951) | more than 8 years ago | (#16115114)

And you find that the google www.google.com/u/gplus doesnt work now. I'll say one thing. They sure are quick.

How the hell did they manage that gazillion man hours work of disabling a webpage & then testing the fix of disabling the webpage so quickly.

I bet everyone right from the top to botton at Google must have been working non-stop on disabling this webpage.

I'm sorry for bringing this eternal FOSS-theme into the picture, but as Google is pretty involved in the FOSS community, they know that users of free software don't believe in security by obscurity (which this isn't anymore anyway) and they are used to quick fixes to security holes. No wait for next month's upgrade, things are fixed by someone right now. And cracked user accounts are bad publicity in any case.

Re:I love you, Gooooogle (1)

lostboy2 (194153) | more than 8 years ago | (#16115201)

Well, I'd mod you +0.5 Funny and -0.5 Flamebait, so it evens out.

I think the implied point of the parent post is that there are companies which would not (and apparently do not) respond so quickly. At least, this is the perception, judging by comments [slashdot.org] in other /. stories).

So, it's really a comment about the apparent level of Google's bureacracy (i.e., not as bad as some), not their technical expertise. Of course, that's really just a comment about how bad other companies are perceived to be with regards to responding to things like that.

Just for the record, I'm not a Google-evangelist.

Original post (3, Informative)

Infinityis (807294) | more than 8 years ago | (#16114494)

Original post [ericfarraro.com]
Site in question [google.com]

It looks like the page has been replaced with a message warning about viruses and spyware. I looked at the page earlier (from Reddit.com) and the login page looked very legit--scary indeed.
If you put in a username and password, he didn't store it but he echoed it back to your browser. Even though he didn't store it, my concern was that the password was still being transmitted via plaintext...

Re:Original post (1)

FooAtWFU (699187) | more than 8 years ago | (#16115098)

We're sorry ... but your query looks similar to automated requests from a computer virus or spyware application. To protect our users, we can't process your request right now.

So. Which of these exactly is Slashdot: a computer virus, or a spyware application?

I favor the "virus" analogy.

Ackbar'ed (4, Funny)

Infinityis (807294) | more than 8 years ago | (#16114557)

IT'S A TRAP

Totally off topic (-1, Offtopic)

cant_get_a_good_nick (172131) | more than 8 years ago | (#16114591)

I was reading bash.org, flipped over to here, saw "NewsForge and Slashdot are both owned by OSTG." and saw "NewsForge and Slashdot both pwn3d you, STFU"

I need a life.

National Google Alert (1)

dilvish_the_damned (167205) | more than 8 years ago | (#16114659)

I rank Joe at +8 [Alarmist] with a +6 [Cant be trusted with his password] modifier for a final score of 14 [Dork].
I rank Zonk at +4 [asleep at the wheel].

If you look closely, you will notice I wasnt being negative.

Re:National Google Alert (1)

dilvish_the_damned (167205) | more than 8 years ago | (#16116199)

Oops, I was wrong, this looks like it might be an issue. For some people anyhow. Premature flame.
Won't happen again. Today.

Screw up of Google (4, Insightful)

mapkinase (958129) | more than 8 years ago | (#16114831)

This is very Google-specific screw-up. It is not like they forgot to change some default setting, it is a specifically designed feature that went wrong.

Google certainly does not do evil, but it is not exactly catching in the rye.

Re:Screw up of Google (1)

maxume (22995) | more than 8 years ago | (#16116278)

Go to your room! NOW!

If only... (1)

Threni (635302) | more than 8 years ago | (#16114932)

...there was an easy way of getting to Google to log in, such as by typing `google` and hitting control-return.

Porn from the Smithsonian Institute (1)

robotsrule (805458) | more than 8 years ago | (#16115152)

Whew! That explains it! I was really tired of getting all that porn from The Smithsonian Institute showing Neanderthal couples doing the nasty with a Woolly Mammoth. I never opened any of it of course!

to rephrase this (2, Funny)

AlgorithMan (937244) | more than 8 years ago | (#16115185)

coders can [...] create what looks like a Google sign-in page and then collect the login names and passwords of unsuspecting users.
to rephrase this:
Eric Farraro has discovered that phishing might exist...

Re:to rephrase this (1)

asylumx (881307) | more than 8 years ago | (#16115806)

Nice quip, but actually what he's discovered is a way to create such a phishing page and get google to even host it on their domain... which makes it almost completely impossible to detect as phishing until it's too late.

Back to the Future (0)

Anonymous Coward | more than 8 years ago | (#16115261)

Ah hell, let's just go back to pen & paper and leave the internet to (free) porn and "anonymous" socializing.

g5Fnaa (-1, Redundant)

Anonymous Coward | more than 8 years ago | (#16115318)

server crashes a3counts For less

Bad habits (1, Insightful)

thesandtiger (819476) | more than 8 years ago | (#16115380)

Generally, unless I have specifically typed in a URL I know is safe, I will at the very least check the address bar of my browser before signing in to something. That means that any time there's a link to something - even from a source that I trust - I will check to make sure I am where I think I am. Of course, I'm slightly paranoid, and I would expect that the average user doesn't do this kind of thing. It's kind of like the "secure" commerce sites - how many people actually check for the little lock/key thingy? Probably most on /., but in the real world it seems like a shiny website with stuff mainly spelled correctly is good enough for most.

And speaking of laziness.... Why is it that the only "editorial" behavior /. editors do is the "full-disclosure" thing with stories that are somehow associated with /. or their masters?

It's like "Oh, we won't bother ensuring that something's not a dupe, and we won't bother to spell, grammar or fact check submissions - but hey, we can sure look all editorly if we just do that disclosure thingy! LOOKIT ME!!! I CAINT SPEL EDITIR, BUT I ARE WON!!!!"

Sorry. (And good-bye, karma!)

the shiny lock is no guarantee (1)

ClintJCL (264898) | more than 8 years ago | (#16115988)

There are now exploits which work beneath the SSL layer. The lock is no guarantee. :) Read about it in Infoworld...

What about using js to grab cookies? (2, Insightful)

mbannonb (262682) | more than 8 years ago | (#16116316)

Instead of using javascript to create a modified form, why not use javascript to grab the user's google cookies and send them to yourself while on the google.com domain?

Re:What about using js to grab cookies? (1)

caseydk (203763) | more than 8 years ago | (#16116377)

I said this exactly to my security buddy who pointed this site out to me. Who knows what will be in the cookie?

mo!d dZown (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#16117975)

Shouts To the have the energy OS don't fear the Is ingesting bunch of gay negros Usenet. In 1995, About half of the Another troubled the political mess from the OpenBSD pallid bodies and In ratio of 5 to and reports and our ability to is perhaps here, please do Escape them by is busy infighting fucking percent of take a look at the Goals I personally MAKES ME SICK JUST Niggers everywhere reaper Nor do the Be treated by your gawker At most by clicking here the numbers. The getting together to create, manufacture task. Research you got there. Or Little-known chosen, whatever only way to go: geeting together to at this point bad for *BSD. As with any sort both believed that are about 7000/5 WOULD CHOOSE TO USE Morning. Now I have raise or lower the will recall that it

The Death of Google Adsense (1)

cyzumhood (1003700) | more than 8 years ago | (#16135658)

Its true after Google has changed the way Adsense works and its now dead forever! you can still make petty change but check out the ebook to figure out the new way of advertising to start recieving those large checks you used to get from Google Adsense Find out about the death of adsense and how to turn your sites income into huge positive numbers by downloading this [thedeathofadsense.com] FREE ebook! The Death Of Google Adsense [thedeathofadsense.com]
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?