Computer Crime Research Center


Google patches phishing hole

Date: September 19, 2006

Google has acknowledged the presence of a phishing hole on its Public Service Search application and has blocked access to the service until the problem is fixed.

The problem went public when blogger Eric Farraro posted details on Thursday on his software development blog. Farraro said that the customizable code in Google's Public Service Search, which enables nonprofit institutions like universities to install ad-free Google search functions on their Web sites at no cost, could be used to create a page hosted on the domain.

Scammers could then use this to build fraudulent Google pages to lure people into handing over personal information, Farraro noted. He demonstrated this by creating a false "Gmail Plus" page: When unsuspecting visitors to the page tried to use their Gmail password to log in, the site delivered a "You (could have) gotten served!" message.

Search giant Google confirmed the existence of the security hole in a statement posted on its blog on Friday. The company has temporarily disabled all login access to Public Service Search clients and has placed a moratorium on new sign-ups. The search functions on current clients' Web sites, however, remain intact. According to Google, a temporary fix has been installed in the service, with a more permanent one in the works.
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo