September 15, 2006
Google Public Search, Vulnerable to Phishing
The page was available at http://google.com/u/gplus and fooled many people that didn't realize the page isn't secured (Google's login uses https) and thought it's a new service from Google.
"Similar 'phishing' sites could be set up at ANY URL. What makes this type of exploit so insidious is that most people would consider the URL to be safe: http://www.google.com/u/gplus. While Google has suffered from similar attacks in the past, most of them have had suspicious URLs, at least to the advanced user. Using the exploit in this service, a malicious attacker could launch phishing sites that even advanced users could fall for," explains the "attacker".
So next time you enter your password on a site, make sure you check the address bar. It's also a good idea to use only secure logins.
This blog is not affiliated with Google.