Google Antiphishing Site Exposed Private User Data

Juha-Matti Laurio writes "Google has removed a few user names and passwords posted inadvertently to a phishing blacklist it compiles and makes publicly available on the Web. This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar. This feature, developed in cooperation with Google, enables users to report potential phishing sites to Google's blacklist database. Google has reportedly implemented a new mechanism detecting login data in submitted URLs to prevent sensitive information from getting posted to the list." The article notes that news of this minor lapse may obscure the ongoing problem of sensitive data exposed on the Web and findable via Google and other search services.

Re:

[madcow_bg]

Well ... without AI it is just impossible to distinguish between troll and off-topic first posts and on-topic fp-s.\
Besides, if they want to spend their karma this way ... let them do it. Democracy at it's best :).

Why is this just breaking now?

[winkydink]

It was discussed on the full-disclosure mailing list 2 weeks ago. If Google is continuing to do this, it's hard for me to see it as anything but irresponsible.

Re:Why is this just breaking now?

[jmazzi]

Well, obviously not everyone is on the mailing list your talking about (including the slashdot editor). This is news to me. Putting it on a site like slashdot will help educate people who weren't already aware.

Re:

[perenaurel]

i posted [slashdot.org] a /. comment with a link [derkeiler.com] to this mailing list post a few weeks ago...

Re:

[jamietre]

There are websites that manage sensitive information that pass usernames & passwords in the actual URL, and you think Google's irresponsible?

Re:

[kalleguld]

Phishing websites. Why should they be careful about the security of the user?

Re:

[jamietre]

Doh! Of course. Rolling my eyes, at myself...

Re:

[heytal]

These weren't the real sites, I believe. They were phishing sites, which passed logins and passwords in the URL. The URL's submitted by the users were supposed to be blacklisted, and hence the list was published.

If the user, before submitting the URL did not check for personal information in the URL, it's that user's problem, and not Google's.

I think it was pretty smart on behalf of Google to come up with an algorithm to look at the submitted URL, and remove the personal data.

Re:

[jamietre]

Yes, I got schooled already. Since then I've changed my mind completely: google is not just irresponsible, but pretty stupid for allowing this to happen at all. Why include ANY part of the query string at all? A reference to a phishing web site ought to end with the "?" in the URL. I would think the "algorithm" would just be "ditch anything after the actual location." Even if it didn't occur to them that there might be personal data in the query-string part of the URL, there's no reason to keep any of it i

Re:

[charlieman]

Well you should have send it to /. 2 weeks ago then.

Re:

[sholden]

Why not read the second paragraph of the article?

Yes, I must be new here...

Re:

[Deanalator]

The first time I looked at the link that was posted on full disclosure, all the passwords etc were there, but when I checked again the next day they had been removed. I think Google actually did a pretty quick cleanup job cleaning up their mess. The delay is due to the media echo chamber.

Remember that the full disclosure event was reported to Finjan, who did an analysis. Someone over at information week then wrote an article about this analysis, which was posted yesterday. The slashdot posting is about

Never fear!

[greginnj]

Google has removed a few user names and passwords posted inadvertently to a phishing blacklist it compiles and makes publicly available on the Web.

Never fear, they're still available on Google Cache :)

Nice

[madsheep]

Sounds like we have some sites that are passing persistent username and password information in the URL (not just querystrings etc). That's pretty lame. I think Barracuda SPAM Firewall does this as well. Perhaps one of these days we'll just see applications with a higher level of security and won't have to worry about this so much.

Re:

[Nos.]

Passing strings via POST as opposed to GET is not "secure". Both can be easily sniffed. The only way to do it is to use SSL, in which case, even the GET strings are encrypted.

Re:

[madsheep]

SSL has nothing to do with it though if it's a GET or persisting URL. It can be encrypted all it wants to be to and from the server, but doesn't mean it cannot be picked up as a phishing site..unless the anti-phishing URL checker breaks because it's preceded by https.

Re:

[lukas84]

You are right, but that's not the point.

URLs are commonly copy and pasted, submitted to other sites, can be read in the browser history, in proxy logs, etc.

Of course, you can configure a proxy to log POST data, but this is beside the point. This is about preventing unintended duplication of sensitive data, not actual attacks.

Re:

[Cally]

or encrypt the data on the server side before sending it back to the client (via a cookie by preference. You can't bookmark a cookie ;)

Re:

[Nos.]

But how does the data get to the server in the first place. If its not encrypted from step one, its not secure.

Re:

[Anonymous Coward]

Sounds like we have some sites that are passing persistent username and password information in the URL (not just querystrings etc). That's pretty lame.

That's quite an understatement. Doing that not only causes problems like this, it also discloses your username and password to a) anybody with access to a proxy log (it's easier to get hold of that than root the proxy to sniff the traffic) and b) any website you navigate to directly from the braindead website (since the URI, including the username and p

This is why I don't use a phishing filter

[SNR monkey]

Now please excuse me, g00gle.com tells me I need to enter my gmail login, password, and a valid credit card number to unlock my gmail account.

Google

[Newfie2005]

"Google also encourages users to use its search engine as a free credit card and Social Security number monitoring service for Web-based content. "We also suggest that individuals create Google Alerts for their credit card and Social Security numbers," the company recommends. "You can be notified once a day or once a week if a new result appears on Google for this query."

As if google doesn't know enough about us, whats next, check google to see if someone is eating the same meal as you for breakfast?

Re:

[AutopsyReport]

Not when my sexual history can be summed up in a four-letter word: NULL.

Re:

[AugustZephyr]

You and the rest of the /. community. This is gonna kill my karma.

Searching your SSN worked great for AOL users...

[patio11]

What is my assurance that a "trusted partner" doesn't gain access to "Aggregate search queries with no personally identifying information involved" five years down the line and run grep /[0-9]{3}\-[0-9]{2}\-[0-9]{4}/ against it? Anything that goes into the search hopper is retained, forever, so that Google can use it to tweak their algorithms. Google *has* my credit card number on file (AdWords) and can even access my bank account (Checkout) but these are risks that I can tolerate because presumably they

Google's Fault? How about FF?

[EveryNickIsTaken]

"This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar." So, the antiphishing toolbar is submitting full URL's without stripping them of uids/pwds/hashes. Sounds like both FF and Google are to blame for this one.

Re:

[Jherek Carnelian]

"This information was submitted to Google by Firefox users with the browser's internal antiphishing toolbar."

What internal antiphishing toolbar? I use firefox 2.0 and the only toolbars listed on View->Toolbars are Navigation and Bookmarks.

Re:

[Original Replica]

Does anyone know of a toolbar that hasn't eventually been the source of a problem? In the past past I would have said Google toolbar, but now I'm not so sure.

Big deal..

[madhatter256]

This kinda is a big deal. Imagine all the customers of Bank of America, Suntrust, Citibank, and Wachovia who are constantly reporting to google whenever they come across a phishing site. Dyslexic still continue in reporting fishing.com to google *sigh*.

Truth about phishing

[fatnicky]

We only comment about the jerks who phish for one reason.

We didn't think of it first.

Re:

[flyingfsck]

Give a man a phish and he has one credit card to misuse.
Teach a man how to phish and he has unlimited credit for life...

Re:

[NZBeeMan]

Give a man a phish and feed him for a day...
Teach a man how to phish and he will sit in a boat and drink beer all day.

Re:Truth about phishing

[FooAtWFU]

Whatever we you are talking about, I do not wish to be a member of it. Thank you.

Re:

[StikyPad]

We concur.

Do no evil

[Robert Goatse]

Let's get all of the Google nuthuggers out of the woodwork to defend their g00gl3!!!11 Now, if it was Microsoft on the other hand, they would be skewered to no end for a SNAFU such as this.

Re:

[creativeHavoc]

Well if you actually read the comments above instead of going straight to complaining you would see the posts are all pretty much jokes, or people blaming google (or firefox too)

Re:

[iago-vL]

255.255.255.255.securebanking.BankOfAmerica.com/Lo gin/aseer223as/index.jsp
sec.tw.seurebanking.BankOfAmerica.com/Login/aseer2 23as/index.jsp

Correct me if I'm wrong, but wouldn't both of those be controlled by "BankOfAmerica.com"? Unless the spaces are somehow significant..

Quick!

[thanksforthecrabs]

Switch to Internet Explorer 7!

Re:

[RzUpAnmsCwrds]

IE7 strips GET data (anything after the ?) from the pages you check, so this kind of thing doesn't happen.

The funny thing is that there was an article about this on IEBlog months ago - I'm amazed that Google didn't do this.

Antiphishing is really click-tracking

[Statecraftsman]

Does anyone know what limits are placed on the urls that are sent to Google(and with IE7 Microsoft)? I figure that if these companies wanted to they could use all these urls to piece together what the most popular search results should be for any query. Even if these companies could not do this, a community-based, properly anonymizing service could almost replace any search engine on the planet by tracking what keywords lead to what websites people click on. Has anyone heard of this idea or has it been shot

Re:

[Statecraftsman]

That's good to know...I still think it'd be cool if there was some way to build a search engine based on anonymized click info from clients. Too bad, the useful data in such a scenario has the potential to identify the user. There's got to be a way to do it and make the database publicly available so it can be audited. Maybe only capture the first click from any results page and strip out the personally identifiable info in a url in a custom way for each url. The only thing missing then would be the marketi

Oops!

[Phusion0]

Sorry!

Let me get this straight

[iabervon]

Okay, so people are accidentally sending Google URLs with their usernames and passwords in them, and Google is then reporting this information to whoever cares.

But the URLs people are submitting are URLs of sites they think are phishing sites. People are effectively saying, "I think this site stole my password, which is 12345." Okay, so maybe Google shouldn't widely distribute this accidentally-disclosed information, but... how much do you care about whether the general public can see your password, when you've already provided it to somebody who was actually trying to collect it for presumably nefarious purposes? Surely these passwords have been changed, right? Right?

Missing the Interesting Part of the Story

[Dotnaught]

The most interesting aspect of the story is that Google's auto-suggestion code will suggest a social security number search keyed to a specific person and that the Google engineers were unaware of this possibility. In other words, if you search for your name and social security number enough times, someone else searching on your name might get a search suggestion that included the social security number you entered (if you did it a lot).

In fact, Google is downright helpful when it comes to finding Social Security numbers: In one case -- and it may be the only one -- Google will identify an individual whose Social Security number has been posted online, thanks to a feature in the Google Toolbar that generates search suggestions based on popular searches. (Evidently, a lot of people have searched for this person's Social Security number.)

Entering two keywords related to Social Security numbers -- call them "x" and "y" so as not to compound the problem -- into the Google Toolbar will produce a keyword search suggestion in the form "x y John Doe." Selecting the suggested search terms and name, as might be expected, generates a search results page with the named person's Social Security number.