Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Antiphishing Site Exposed Private User Data

kdawson posted more than 7 years ago | from the self-phishing dept.

Google 69

Juha-Matti Laurio writes "Google has removed a few user names and passwords posted inadvertently to a phishing blacklist it compiles and makes publicly available on the Web. This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar. This feature, developed in cooperation with Google, enables users to report potential phishing sites to Google's blacklist database. Google has reportedly implemented a new mechanism detecting login data in submitted URLs to prevent sensitive information from getting posted to the list." The article notes that news of this minor lapse may obscure the ongoing problem of sensitive data exposed on the Web and findable via Google and other search services.

cancel ×

69 comments

rgerer (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17726896)

sfdgsfgsfdg

Re:rgerer (0)

Anonymous Coward | more than 7 years ago | (#17729888)

This is off-topic, and if you want to mod me as such then waste your points, but seriously, why can't these "first posts" that are basically piles of shit not just automatically removed? Not that it takes much time to skip over reading it, but the level of care associated with these comments by the administrators is so non-existent that they will just KEEP HAPPENING until something is done about it!

Re:rgerer (1)

madcow_bg (969477) | more than 7 years ago | (#17735804)

Well ... without AI it is just impossible to distinguish between troll and off-topic first posts and on-topic fp-s.\
Besides, if they want to spend their karma this way ... let them do it. Democracy at it's best :).

Re:rgerer (0)

Anonymous Coward | more than 7 years ago | (#17740274)

Pardon the use of "automatically." I simply meant that, upon an editor seeing the crappy first post, how hard would it be to write a "delete permanently" button and use it?

Why is this just breaking now? (3, Insightful)

winkydink (650484) | more than 7 years ago | (#17726946)

It was discussed on the full-disclosure mailing list 2 weeks ago. If Google is continuing to do this, it's hard for me to see it as anything but irresponsible.

Re:Why is this just breaking now? (4, Insightful)

jmazzi (869663) | more than 7 years ago | (#17727152)

Well, obviously not everyone is on the mailing list your talking about (including the slashdot editor). This is news to me. Putting it on a site like slashdot will help educate people who weren't already aware.

Re:Why is this just breaking now? (0, Flamebait)

Anonymous Coward | more than 7 years ago | (#17727286)

Putting it on a site like slashdot will help educate people who weren't already aware.

It's a lost cause. Those who have some sense already know that GOOG is one of the greatest fuck-ups, technologically worse than AOL and MSN combined.

The fanbois, however, can't be turned back into rational human beings; they'll continue to drool over every shiny new GOOG-Turd-beta while wanking off to a picture of Steve Jobs.

Re:Why is this just breaking now? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17727540)

And so, the inevitable backlash begins.

Re:Why is this just breaking now? (1)

perenaurel (681620) | more than 7 years ago | (#17749066)

i posted [slashdot.org] a /. comment with a link [derkeiler.com] to this mailing list post a few weeks ago...

Re:Why is this just breaking now? (3, Insightful)

jamietre (1051578) | more than 7 years ago | (#17728130)

There are websites that manage sensitive information that pass usernames & passwords in the actual URL, and you think Google's irresponsible?

Re:Why is this just breaking now? (2, Insightful)

kalleguld (624992) | more than 7 years ago | (#17729194)

Phishing websites. Why should they be careful about the security of the user?

Re:Why is this just breaking now? (1)

jamietre (1051578) | more than 7 years ago | (#17729576)

Doh! Of course. Rolling my eyes, at myself...

Re:Why is this just breaking now? (1)

heytal (173090) | more than 7 years ago | (#17735570)

These weren't the real sites, I believe. They were phishing sites, which passed logins and passwords in the URL. The URL's submitted by the users were supposed to be blacklisted, and hence the list was published.

If the user, before submitting the URL did not check for personal information in the URL, it's that user's problem, and not Google's.

I think it was pretty smart on behalf of Google to come up with an algorithm to look at the submitted URL, and remove the personal data.

Re:Why is this just breaking now? (1)

jamietre (1051578) | more than 7 years ago | (#17736476)

Yes, I got schooled already. Since then I've changed my mind completely: google is not just irresponsible, but pretty stupid for allowing this to happen at all. Why include ANY part of the query string at all? A reference to a phishing web site ought to end with the "?" in the URL. I would think the "algorithm" would just be "ditch anything after the actual location." Even if it didn't occur to them that there might be personal data in the query-string part of the URL, there's no reason to keep any of it in the first place. This just makes the reference to the site more unique and therefore less likely to be matched when someone uses the database.

Re:Why is this just breaking now? (1)

charlieman (972526) | more than 7 years ago | (#17728572)

Well you should have send it to /. 2 weeks ago then.

Re:Why is this just breaking now? (1)

sholden (12227) | more than 7 years ago | (#17728880)

Why not read the second paragraph of the article?

Yes, I must be new here...

Re:Why is this just breaking now? (1)

Deanalator (806515) | more than 7 years ago | (#17732972)

The first time I looked at the link that was posted on full disclosure, all the passwords etc were there, but when I checked again the next day they had been removed. I think Google actually did a pretty quick cleanup job cleaning up their mess. The delay is due to the media echo chamber.

Remember that the full disclosure event was reported to Finjan, who did an analysis. Someone over at information week then wrote an article about this analysis, which was posted yesterday. The slashdot posting is about the information week article.

Never fear! (4, Funny)

greginnj (891863) | more than 7 years ago | (#17726984)

Google has removed a few user names and passwords posted inadvertently to a phishing blacklist it compiles and makes publicly available on the Web.
Never fear, they're still available on Google Cache :)

Nice (2, Interesting)

madsheep (984404) | more than 7 years ago | (#17726986)

Sounds like we have some sites that are passing persistent username and password information in the URL (not just querystrings etc). That's pretty lame. I think Barracuda SPAM Firewall does this as well. Perhaps one of these days we'll just see applications with a higher level of security and won't have to worry about this so much.

Re:Nice (1)

Nos. (179609) | more than 7 years ago | (#17727024)

Passing strings via POST as opposed to GET is not "secure". Both can be easily sniffed. The only way to do it is to use SSL, in which case, even the GET strings are encrypted.

Re:Nice (1)

madsheep (984404) | more than 7 years ago | (#17727202)

SSL has nothing to do with it though if it's a GET or persisting URL. It can be encrypted all it wants to be to and from the server, but doesn't mean it cannot be picked up as a phishing site..unless the anti-phishing URL checker breaks because it's preceded by https.

Re:Nice (2, Insightful)

lukas84 (912874) | more than 7 years ago | (#17727204)

You are right, but that's not the point.

URLs are commonly copy and pasted, submitted to other sites, can be read in the browser history, in proxy logs, etc.

Of course, you can configure a proxy to log POST data, but this is beside the point. This is about preventing unintended duplication of sensitive data, not actual attacks.

Re:Nice (1)

Cally (10873) | more than 7 years ago | (#17727912)

or encrypt the data on the server side before sending it back to the client (via a cookie by preference. You can't bookmark a cookie ;)

Re:Nice (1)

Nos. (179609) | more than 7 years ago | (#17728522)

But how does the data get to the server in the first place. If its not encrypted from step one, its not secure.

Re:Nice (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17727248)

I cannot pronounce "baccaruda."

Re:Nice (2, Insightful)

Anonymous Coward | more than 7 years ago | (#17727568)

Sounds like we have some sites that are passing persistent username and password information in the URL (not just querystrings etc). That's pretty lame.

That's quite an understatement. Doing that not only causes problems like this, it also discloses your username and password to a) anybody with access to a proxy log (it's easier to get hold of that than root the proxy to sniff the traffic) and b) any website you navigate to directly from the braindead website (since the URI, including the username and password, will be sent to the new website in the Referer HTTP header).

This is why I don't use a phishing filter (4, Funny)

SNR monkey (1021747) | more than 7 years ago | (#17727010)

Now please excuse me, g00gle.com tells me I need to enter my gmail login, password, and a valid credit card number to unlock my gmail account.

Google (5, Funny)

Newfie2005 (932609) | more than 7 years ago | (#17727012)

"Google also encourages users to use its search engine as a free credit card and Social Security number monitoring service for Web-based content. "We also suggest that individuals create Google Alerts for their credit card and Social Security numbers," the company recommends. "You can be notified once a day or once a week if a new result appears on Google for this query."

As if google doesn't know enough about us, whats next, check google to see if someone is eating the same meal as you for breakfast?

Re:Google (0)

Anonymous Coward | more than 7 years ago | (#17727210)

Well, actually, a service to check if someone else is sleeping with the same member of the appropriate sex as us would be VERY useful... you don't have a problem with posting full name, age, and other identifying info for all you sex partners to the web, do you?

Re:Google (1)

AutopsyReport (856852) | more than 7 years ago | (#17728316)

Not when my sexual history can be summed up in a four-letter word: NULL.

Re:Google (1)

AugustZephyr (989775) | more than 7 years ago | (#17729114)

You and the rest of the /. community. This is gonna kill my karma.

Searching your SSN worked great for AOL users... (1)

patio11 (857072) | more than 7 years ago | (#17733740)

What is my assurance that a "trusted partner" doesn't gain access to "Aggregate search queries with no personally identifying information involved" five years down the line and run grep /[0-9]{3}\-[0-9]{2}\-[0-9]{4}/ against it? Anything that goes into the search hopper is retained, forever, so that Google can use it to tweak their algorithms. Google *has* my credit card number on file (AdWords) and can even access my bank account (Checkout) but these are risks that I can tolerate because presumably they have procedures in place to protect information they KNOW is sensitive and even if they don't my bank has ultimate liability for unauthorized charges. I'm not NEARLY so convinced that they have adequate procedures in place to protect search queries, which most people would assume are probably pretty harmless. (I know they bounced a Justice Department demand to turn over a million random queries once. Bully for their lawyers yesterday, what about their most clueless employee *tomorrow*? AOL posted their queries out of a desire to do good and genuine ignorance about the downside potential, too.)

Every time I accessed a credit card number on a customer account at an old place of employment there was an audit trail generated and what numbers I was accessing was periodically reviewed against what accounts I had legitimate business servicing. Does Google keep similarly in-depth records about internal/external use of their query data? I don't have confidence that this is the case.

Google's Fault? How about FF? (5, Insightful)

EveryNickIsTaken (1054794) | more than 7 years ago | (#17727026)

"This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar." So, the antiphishing toolbar is submitting full URL's without stripping them of uids/pwds/hashes. Sounds like both FF and Google are to blame for this one.

Don't worry, a patch is out already (0)

Anonymous Coward | more than 7 years ago | (#17727206)

You can get it here [opera.com]

Re:Google's Fault? How about FF? (1)

Jherek Carnelian (831679) | more than 7 years ago | (#17727744)

"This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar."

What internal antiphishing toolbar? I use firefox 2.0 and the only toolbars listed on View->Toolbars are Navigation and Bookmarks.

Re:Google's Fault? How about FF? (0)

Anonymous Coward | more than 7 years ago | (#17727996)

It's not a toolbar. It's under Help, and it's called "Report Web Forgery" and it sends the URL to Google. The ENTIRE URL with no filtering, at least in my checks.

Re:Google's Fault? How about FF? (0)

Anonymous Coward | more than 7 years ago | (#17728252)

Since you have people doubting on you, I can prove Firefox doesn't strip anything from the URL.

Unzip the file "content/browser/safebrowsing/sb-loader.js" from "chrome/browser.jar" in your Firefox directory. This contains the file that handles submitting URLs to Google. It's in the core Firefox distribution, and Bonsai clearly fingers Firefox as adding it [mozilla.org] so the blame lies completely with Firefox.

(Or you can just use their online code browser [mozilla.org] .)

Anyway, search for "getReportPhishingURL" - this is the URL phishing reports are sent to. Note the following lines:

var pageUrl = getBrowser().currentURI.asciiSpec;
reportUrl += "&url=" + encodeURIComponent(pageUrl);
Those two lines add the current URL of the currently active page DIRECTLY without modifying it at all.

So, yes, Firefox doesn't do ANY URL filtering at all, and this can be verified by checking the code base.

Re:Google's Fault? How about FF? (1)

Original Replica (908688) | more than 7 years ago | (#17730926)

Does anyone know of a toolbar that hasn't eventually been the source of a problem? In the past past I would have said Google toolbar, but now I'm not so sure.

Big deal.. (1)

madhatter256 (443326) | more than 7 years ago | (#17727122)

This kinda is a big deal. Imagine all the customers of Bank of America, Suntrust, Citibank, and Wachovia who are constantly reporting to google whenever they come across a phishing site. Dyslexic still continue in reporting fishing.com to google *sigh*.

Truth about phishing (2, Insightful)

fatnicky (991652) | more than 7 years ago | (#17727164)

We only comment about the jerks who phish for one reason.

We didn't think of it first.

Re:Truth about phishing (1)

flyingfsck (986395) | more than 7 years ago | (#17727650)

Give a man a phish and he has one credit card to misuse.
Teach a man how to phish and he has unlimited credit for life...

Re:Truth about phishing (1)

NZBeeMan (690544) | more than 7 years ago | (#17754268)

Give a man a phish and feed him for a day...
Teach a man how to phish and he will sit in a boat and drink beer all day.

Re:Truth about phishing (3, Interesting)

FooAtWFU (699187) | more than 7 years ago | (#17728030)

Whatever we you are talking about, I do not wish to be a member of it. Thank you.

Re:Truth about phishing (1)

StikyPad (445176) | more than 7 years ago | (#17730858)

We concur.

What I do... (0)

Anonymous Coward | more than 7 years ago | (#17727172)

is disable all this do no evil^w^w^w privacy reducing bloat. Try the fixing the following mis-features by setting them to booleen false in about:config.

browser.safebrowsing.enabled false
browser.search.suggest.enabled false
network.prefetch-next false
I also disable javascript but that's apparently because "I'm weird".

Google Safe Browsing (0)

Anonymous Coward | more than 7 years ago | (#17727272)

this blog was posted to the full-disclosure list a couple days ago...has a lot more on the technical details of google's phishing protection and firefox:

http://jon.oberheide.org/blog/2006/11/13/google-sa fe-browsing/ [oberheide.org]

Shitty Web Programmers (0)

Anonymous Coward | more than 7 years ago | (#17727312)

Why is this googles fault? Try blaming the retarts that use the URL parameters for username and password.... Come on that's web programming 101...

Re:Shitty Web Programmers (0)

Anonymous Coward | more than 7 years ago | (#17728860)

It is retard [reference.com] .

"Retart" sounds like you gave somebody another round of dessert.

Do not use such a bloated browsers then (0, Offtopic)

AnnuitCoeptis (1049058) | more than 7 years ago | (#17727406)

Recetly, I've found out that I don't have a web browser that is not threatened by some nasty bugs or exploits. So after a long research I've found "Offbyone" browser, and it rulez. Website loading is -rapid- compared to anything outthere. No Web2.0 spyware.. no problems.

And did you notice how slow those Web2.0 sites are? The usability went from 4/5 to 2/5 with all those _web 2.0_ upgrades. There is nothing I was missing with old Slashdot, old Yahoo! messageboars or old Digg. All those sites were better under the old scheme and faster. Now you can play Doom in the browser right? Wrong, I play Doom on my XBox360 Live Arcade not in the _web 2.0_ bloated browser.

Re:Do not use such a bloated browsers then (0)

Anonymous Coward | more than 7 years ago | (#17727482)

Is this a troll? Off by one is 1. windows only and 2. only supports HTML 3.2

An aspiring elitist prick like you should at least have the decency to use XSmiles ;-)

Do no evil (2, Insightful)

Robert Goatse (984232) | more than 7 years ago | (#17727430)

Let's get all of the Google nuthuggers out of the woodwork to defend their g00gl3!!!11 Now, if it was Microsoft on the other hand, they would be skewered to no end for a SNAFU such as this.

Re:Do no evil (1)

creativeHavoc (1052138) | more than 7 years ago | (#17729030)

Well if you actually read the comments above instead of going straight to complaining you would see the posts are all pretty much jokes, or people blaming google (or firefox too)

This is just a "long range" anti-phishing plan! (0)

Anonymous Coward | more than 7 years ago | (#17727434)

...I mean, if you publish the information nobody has to phish for it. Sooner or later, all those phishing "skills" will atrophy, and there'll be no more phishing!

Google found a whole year of JIATF emails! (0)

Anonymous Coward | more than 7 years ago | (#17727554)

This was a few years ago.
To, from, and subject only, but it was still pretty interesting because you could tell who had been distracted at work.

Blame Dynamic DNS Services (0)

Anonymous Coward | more than 7 years ago | (#17727592)

When reviewing stats of how many offences are committed using a straight IP address followed by a typical website secure address, I would say Point the finger the other direction at these DDNS services that do no verification of what content they are allowing these fly by night websites to host.

When is the last time you received an email stating to update your bank info at 255.255.255.255.securebanking.BankOfAmerica.com/Lo gin/aseer223as/index.jsp or any other phishing scam? To be honest I haven't seen on in my inbox in 2-3 years.

On the other hand I almost weekly see phishing emails for sec.tw.seurebanking.BankOfAmerica.com/Login/aseer2 23as/index.jsp which makes it a lot harder to notice over the earlier scams.

Why hasn't the governments of this 21st century world recognized that we are a Computer born society and that if immoral acts of theft are occurring that we need to make the individuals responsible for allowing such a simple act of theft to be prosecuted. I say fry ddns.au, ddns.com.au, dyndns.com and all the like of them for failing to provide some sort of safe guard of abuse of their services. How difficult would it be to add webpage crawling to any DDNS service before allowing the registration of the hosts IP? Scan the hosts pages compare them to a listed of registered banking/brokerage/retail/government pages and if they have offending content immediately notify law enforcement and the ISP.

Internet is born of Free Speech and the like but Free never meant $Free$.

Re:Blame Dynamic DNS Services (1)

iago-vL (760581) | more than 7 years ago | (#17727796)

255.255.255.255.securebanking.BankOfAmerica.com/Lo gin/aseer223as/index.jsp
sec.tw.seurebanking.BankOfAmerica.com/Login/aseer2 23as/index.jsp

Correct me if I'm wrong, but wouldn't both of those be controlled by "BankOfAmerica.com"? Unless the spaces are somehow significant..

Re:Blame Dynamic DNS Services (0)

Anonymous Coward | more than 7 years ago | (#17727874)

Minor error on my keyboarding.... The arguement is not about my typing ability it is about the responsibility of the DDNS services.

URLS should have been:
  255.255.225.255/banking_URL_posted_here
  sec.au/banking_URL_Posted_Here

Quick! (4, Funny)

thanksforthecrabs (1037698) | more than 7 years ago | (#17727618)

Switch to Internet Explorer 7!

Re:Quick! (1)

RzUpAnmsCwrds (262647) | more than 7 years ago | (#17736332)

IE7 strips GET data (anything after the ?) from the pages you check, so this kind of thing doesn't happen.

The funny thing is that there was an article about this on IEBlog months ago - I'm amazed that Google didn't do this.

Ruining the very pants I was returning... (0)

Anonymous Coward | more than 7 years ago | (#17727632)

Somehow this story with Google spyw^H^H^H phis^H^H^H antiphishing blacklist reminds me of...

ELAINE: Would you please just get on with the stupid Bob Saccamano story?!

KRAMER: Well, I'm on the phone with Bob, and I realize right then and there that I need to return this pair of pants. So, I'm off to the store.

ELAINE: What happened to Bob Saccamano?

KRAMER: Well, nothing. His part of the story is done. (Elaine covers her face with her hands - showing her difficulty coping with Kramer) So I'm waiting for the subway, It's not coming, so I decided to hoof it through the tunnel.

ELAINE: Alright, well, now that's something..

KRAMER: Well, I don't know if I lost track of time - or what, but the next think I knew..

ELAINE: (Adding) A train is bearing down on you?!

KRAMER: No, I slipped - and fell in the mud. Ruining the very pants I was about to return.

ELAINE: (Reflects on the story) I don't understand.. you were wearing the pants you were returning?

KRAMER: Well, I guess I was...

Tell me it isn't so... (0, Flamebait)

jo42 (227475) | more than 7 years ago | (#17727788)

The Great Google, with its thousands of very highly educated people accidentally releasing private information? Tell me that it just isn't so. What happened to "Do No Evil"? And are those highly educated people that can run and pass The Great Google Hiring Gauntlet no so smart after all?? Tell me that it just isn't so... :-p

Antiphishing is really click-tracking (1)

Statecraftsman (718862) | more than 7 years ago | (#17727872)

Does anyone know what limits are placed on the urls that are sent to Google(and with IE7 Microsoft)? I figure that if these companies wanted to they could use all these urls to piece together what the most popular search results should be for any query. Even if these companies could not do this, a community-based, properly anonymizing service could almost replace any search engine on the planet by tracking what keywords lead to what websites people click on. Has anyone heard of this idea or has it been shot down for some other reason besides the privacy concerns?

Re:Antiphishing is really click-tracking (0)

Anonymous Coward | more than 7 years ago | (#17728212)

MS strips the URL: http://blogs.msdn.com/ie/archive/2005/09/09/463204 .aspx [msdn.com] and http://blogs.msdn.com/ie/archive/2005/08/31/458663 .aspx [msdn.com]

Phishing Filter does not check every URL on the Microsoft server. It only sends those which are not on a known list of OK sites or those that appear suspicious based on heuristics. If an URL is checked on the Microsoft server, first the URL is stripped down to the path to help remove personal information, then the remaining URL is sent over a secure SSL connection. The communication with the Microsoft server is done asynchronously so that there is little to no effect on your browsing experience.

So, for example, if you were to visit http://www.msn.com/ [msn.com] nothing will be checked on the Microsoft server because "msn.com" and other major websites are on the client-side list of OK sites. However, let's say the URL looked like this: http://207.68.172.246/result.aspx?u=Tariq&p=Tariq [207.68.172.246] ' sPassword, in this scenario phishing filter will remove the query string to help protect my privacy but it will send "http://207.68.172.246/result.aspx" to be checked by the Microsoft Server because 207.68.172.246 is not on the allow list of OK sites. As it turns out, 207.68.172.246 is just the IP address of MSN.com server, so its not a phishing site but this example should help you understand more about how Phishing Filter checks sites on the server.

Re:Antiphishing is really click-tracking (1)

Statecraftsman (718862) | more than 7 years ago | (#17732270)

That's good to know...I still think it'd be cool if there was some way to build a search engine based on anonymized click info from clients. Too bad, the useful data in such a scenario has the potential to identify the user. There's got to be a way to do it and make the database publicly available so it can be audited. Maybe only capture the first click from any results page and strip out the personally identifiable info in a url in a custom way for each url. The only thing missing then would be the marketing for a search engine nobody owns.

Nice spin (0)

Anonymous Coward | more than 7 years ago | (#17727974)

"... few user names... minor lapse... "

Can you imagine what the /. story would say if, say, Microsoft or Sony had screwed up like this?

Oops! (1)

Phusion0 (665359) | more than 7 years ago | (#17729000)

Sorry!

Let me get this straight (4, Insightful)

iabervon (1971) | more than 7 years ago | (#17729634)

Okay, so people are accidentally sending Google URLs with their usernames and passwords in them, and Google is then reporting this information to whoever cares.

But the URLs people are submitting are URLs of sites they think are phishing sites. People are effectively saying, "I think this site stole my password, which is 12345." Okay, so maybe Google shouldn't widely distribute this accidentally-disclosed information, but... how much do you care about whether the general public can see your password, when you've already provided it to somebody who was actually trying to collect it for presumably nefarious purposes? Surely these passwords have been changed, right? Right?

Missing the Interesting Part of the Story (4, Informative)

Dotnaught (223657) | more than 7 years ago | (#17730558)

The most interesting aspect of the story is that Google's auto-suggestion code will suggest a social security number search keyed to a specific person and that the Google engineers were unaware of this possibility. In other words, if you search for your name and social security number enough times, someone else searching on your name might get a search suggestion that included the social security number you entered (if you did it a lot).

In fact, Google is downright helpful when it comes to finding Social Security numbers: In one case -- and it may be the only one -- Google will identify an individual whose Social Security number has been posted online, thanks to a feature in the Google Toolbar that generates search suggestions based on popular searches. (Evidently, a lot of people have searched for this person's Social Security number.)

Entering two keywords related to Social Security numbers -- call them "x" and "y" so as not to compound the problem -- into the Google Toolbar will produce a keyword search suggestion in the form "x y John Doe." Selecting the suggested search terms and name, as might be expected, generates a search results page with the named person's Social Security number.


Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...