Google Antiphishing Site Exposed Private User Data 69
Juha-Matti Laurio writes "Google has removed a few user names and passwords posted inadvertently to a phishing blacklist it compiles and makes publicly available on the Web. This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar. This feature, developed in cooperation with Google, enables users to report potential phishing sites to Google's blacklist database. Google has reportedly implemented a new mechanism detecting login data in submitted URLs to prevent sensitive information from getting posted to the list." The article notes that news of this minor lapse may obscure the ongoing problem of sensitive data exposed on the Web and findable via Google and other search services.
Why is this just breaking now? (Score:4, Insightful)
Google's Fault? How about FF? (Score:5, Insightful)
Re:Why is this just breaking now? (Score:4, Insightful)
Truth about phishing (Score:2, Insightful)
We didn't think of it first.
Re:Nice (Score:2, Insightful)
URLs are commonly copy and pasted, submitted to other sites, can be read in the browser history, in proxy logs, etc.
Of course, you can configure a proxy to log POST data, but this is beside the point. This is about preventing unintended duplication of sensitive data, not actual attacks.
Do no evil (Score:1, Insightful)
Re:Nice (Score:2, Insightful)
Sounds like we have some sites that are passing persistent username and password information in the URL (not just querystrings etc). That's pretty lame.
That's quite an understatement. Doing that not only causes problems like this, it also discloses your username and password to a) anybody with access to a proxy log (it's easier to get hold of that than root the proxy to sniff the traffic) and b) any website you navigate to directly from the braindead website (since the URI, including the username and password, will be sent to the new website in the Referer HTTP header).
Re:Why is this just breaking now? (Score:3, Insightful)
Re:Why is this just breaking now? (Score:2, Insightful)
Let me get this straight (Score:5, Insightful)
But the URLs people are submitting are URLs of sites they think are phishing sites. People are effectively saying, "I think this site stole my password, which is 12345." Okay, so maybe Google shouldn't widely distribute this accidentally-disclosed information, but... how much do you care about whether the general public can see your password, when you've already provided it to somebody who was actually trying to collect it for presumably nefarious purposes? Surely these passwords have been changed, right? Right?