Google Antiphishing Site Exposed Private User Data

Juha-Matti Laurio writes "Google has removed a few user names and passwords posted inadvertently to a phishing blacklist it compiles and makes publicly available on the Web. This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar. This feature, developed in cooperation with Google, enables users to report potential phishing sites to Google's blacklist database. Google has reportedly implemented a new mechanism detecting login data in submitted URLs to prevent sensitive information from getting posted to the list." The article notes that news of this minor lapse may obscure the ongoing problem of sensitive data exposed on the Web and findable via Google and other search services.

Why is this just breaking now?

[winkydink]

It was discussed on the full-disclosure mailing list 2 weeks ago. If Google is continuing to do this, it's hard for me to see it as anything but irresponsible.

Google's Fault? How about FF?

[EveryNickIsTaken]

"This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar." So, the antiphishing toolbar is submitting full URL's without stripping them of uids/pwds/hashes. Sounds like both FF and Google are to blame for this one.

Re:Why is this just breaking now?

[jmazzi]

Well, obviously not everyone is on the mailing list your talking about (including the slashdot editor). This is news to me. Putting it on a site like slashdot will help educate people who weren't already aware.

Truth about phishing

[fatnicky]

We only comment about the jerks who phish for one reason.

We didn't think of it first.

Re:Nice

[lukas84]

You are right, but that's not the point.

URLs are commonly copy and pasted, submitted to other sites, can be read in the browser history, in proxy logs, etc.

Of course, you can configure a proxy to log POST data, but this is beside the point. This is about preventing unintended duplication of sensitive data, not actual attacks.

Do no evil

[Robert Goatse]

Let's get all of the Google nuthuggers out of the woodwork to defend their g00gl3!!!11 Now, if it was Microsoft on the other hand, they would be skewered to no end for a SNAFU such as this.

Re:Nice

[Anonymous Coward]

Sounds like we have some sites that are passing persistent username and password information in the URL (not just querystrings etc). That's pretty lame.

That's quite an understatement. Doing that not only causes problems like this, it also discloses your username and password to a) anybody with access to a proxy log (it's easier to get hold of that than root the proxy to sniff the traffic) and b) any website you navigate to directly from the braindead website (since the URI, including the username and password, will be sent to the new website in the Referer HTTP header).

Re:Why is this just breaking now?

[jamietre]

There are websites that manage sensitive information that pass usernames & passwords in the actual URL, and you think Google's irresponsible?

Re:Why is this just breaking now?

[kalleguld]

Phishing websites. Why should they be careful about the security of the user?

Let me get this straight

[iabervon]

Okay, so people are accidentally sending Google URLs with their usernames and passwords in them, and Google is then reporting this information to whoever cares.

But the URLs people are submitting are URLs of sites they think are phishing sites. People are effectively saying, "I think this site stole my password, which is 12345." Okay, so maybe Google shouldn't widely distribute this accidentally-disclosed information, but... how much do you care about whether the general public can see your password, when you've already provided it to somebody who was actually trying to collect it for presumably nefarious purposes? Surely these passwords have been changed, right? Right?