Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google's Anti-Phishing Plug-In Leaked Passwords

eldavojohn (898314) writes | more than 7 years ago


eldavojohn writes "There's a brief article on Ars Technica about how Finjan Inc. (a security provider) found a security problem with Google's anti-phishing plug-in for Mozilla Firefox and covertly contacted Google about it. From the article,

How did an anti-phishing plugin wind up exposing user names and passwords to the general public? Google's software used a public blacklist, available from Google's servers, which listed sites that were fraudulently pretending to be banking or other financial institutions. Unfortunately, some of these sites embedded usernames and passwords directly into the URL — obviously phishing sites didn't have concerns about security — and were thus viewable by anyone.
So you might be asking why this isn't bigger news. Well, Google has since fixed this problem and turned this issue into a non-issue. One must wonder whether this form of bug discovery is more sensible or 'correct' than the constant Microsoft bugs published online. Perhaps if Google continues to handle low key notices seriously, they'll never find themselves in the same position as Microsoft?"

cancel ×


Slashdot Login

Need an Account?

Forgot your password?