Google has a
special search service for universities that allows them to create a customized page at google.com/u/name.
Eric Farraro managed to use this service to create a Gmail-like login page, by using some simple JavaScript code. Although the page wasn't actually used for phishing (the credentials weren't stored), it was enough for Google to
remove the page and temporarily close the registrations for the service.
The page was available at http://google.com/u/gplus and fooled many people that didn't realize the page isn't secured (Google's login uses https) and thought it's a new service from Google.
"
Similar 'phishing' sites could be set up at ANY URL. What makes this type of exploit so insidious is that most people would consider the URL to be safe: http://www.google.com/u/gplus. While Google has suffered from similar attacks in the past, most of them have had suspicious URLs, at least to the advanced user. Using the exploit in this service, a malicious attacker could launch phishing sites that even advanced users could fall for," explains the "attacker".
So next time you enter your password on a site, make sure you check the address bar. It's also a good idea to use only secure logins.
Wow that was a nice find, glad Eric reported it before he put it on Digg.
ReplyDeleteThey will need to do some blocks to disallow some of the code to do this again.
They would only really need to put a smart searching engine that will check the code for any dodgy redirects or things like that.
I don't think they would completely kill of the ability to hide the DIV, then again it does hide their search results, which is the whole point behind it, hehe.
See, shows you that security is always an on-going issue, not even Google are perfect.
Should update it with the Official explanation on Google WebmasterCentral.
ReplyDelete