Google anti-phishing gave out passwords

Author: Brett Thomas
Published: 23rd January 2007
Comments (8) Stumble
Got Google anti-phishing? Here's your complimentary password and username list. Whoops.

Got Google anti-phishing? Here's your complimentary password and username list. Whoops.

"The best laid plans of mice and men..." Oh, Steinbeck, if you only had a clue how true this really is. Many of you can sympathise with this - you go to do something nice, something well-planned, and something horribly awful happens as a result. Such is the way with Google and its anti-phishing plugin - which just so happened to accidentally save users' passwords and emails, then display them publicly.

Oops.

Fortunately, it's not as if Google actually scripted something intentionally to leave this back-door vulnerability. It actually has little to do with Google's code itself and more to do with the way many phishing sites are concocted. Often, when entering into a phishing site, it will put your username/password in plain text in the URL. Google's anti-phishing is supported by a publicly available blacklist - which then saved all of those URLs for anyone to see.

The issue was caught and brought to Google's attention by a web security company known as Finjan. Since then, our favourite searching company has issued a patch for its anti-phishing plugin which strips any user data from blacklist URLs. Finjan actually recommends disabling any feature (which is common in toolbars and other 'assistant' programs) that sends URL data back home, just to be safe.

Though the quick response is admirable, it does illustrate a basic flaw in the premise - sometimes the cure can be worse than the disease. It raises an important question as to the benefits of total integration - when one company, however honest it may be, starts doing too much, are we any better off?

Let us know your thoughts on the slip-up in our forums.
Apple Products at Misco
Quote mclean007 23rd January 2007, 15:01
As a native Scot I feel I must stand up for my country by correcting your literary reference - you seem to imply it was Steinbeck who wrote "The best laid plans of mice and men often go awry", when in fact the proverb is derived from Robert Burns' To a Mouse (1785), a line in the second last stanza of which reads "The best laid schemes o' mice an' men / gang aft agley". Steinbeck merely borrowed from Burns for the title of his 1937 novel Of Mice and Men.

</pedantic off-topic patriotism>
:D

On-topic: naughty Google.
Quote Leitchy 23rd January 2007, 16:40
'mon the scots.

And yes, Lesson learned by google!
Quote DXR_13KE 23rd January 2007, 16:55
it happens, hey they did not predict that phishing sites would put user names and passwords on the URL


and for something diferent:
GOOGLE SUCKS BOOOOO!!!!! TEHY ARE TEH EVIL AND THE DUMB!!!!! BOOOO!!!! J/K ;)
Quote FooSai 23rd January 2007, 17:54
It was an accident, accidents happen. They fixed it straight away, so I have no problem with them.
Quote Tyinsar 24th January 2007, 02:23
Quote:
Originally Posted by Article
It raises an important question as to the benefits of total integration - when one company, however honest it may be, starts doing too much, are we any better off?




What was that about Microsoft?
Quote brumster 24th January 2007, 03:40
I never imagined this would happen, but I certainly imagined something would.
While it seemed a good idea in principle, the skeptic in me knew better than to enable that particular feature in my firefox google toolbar.
Quote Generic42 24th January 2007, 03:54
Quote:
Originally Posted by Tyinsar



What was that about Microsoft?
Seriously... integration is never good when it goes that far.. (read: integrated graphics, MS, smart cars, we should have learned from them, so much dependance!)
Quote bilbothebaggins 24th January 2007, 07:41
Quote:
Originally Posted by Article
It raises an important question as to the benefits of total integration - when one company, however honest it may be, starts doing too much, are we any better off?

No question here for me. Never good. Never.
(Total integration? Energy companies anyone? :( )
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



XFX 790i SLI


Affordable hosting at TSOhost
Stats: 0.155 seconds