Internet security firm Finjan will confirm on Monday that Google’s much-discussed anti-phishing blacklist contained confidential usernames and passwords of individuals, including credentials for accounts at banks and other financial institutions. See the screen shot below for an example – click for a larger view.
Google’s current anti-phishing blacklist, which has no access protection, is here. It’s It used by the Google Safe Browsing for Firefox extension which is now part of the Google Toolbar for Firefox, according to Michael Sutton, who has spent some time analyzing it.
Google has not publicly discussed the error, although they quietly removed the offending data. They have, however, acknowledged it in email correspondence with Finjan, which was forwarded to me. Google has since removed the confidential data.
This is nowhere near as serious an issue as the AOL search data released in August 2006. However, a public statement by Google on the issue is warranted, along with confirmation that they have attempted to contact the affected individuals.
In the google site, they havent linked to the extension.
.
Instead they are stating to install the google toolbar,
which i think most users dont like, even me
Try http://dl.googl...afebrowsing.xpi for the link of the extension.
How could Google miss this one? Such a security risk that is poorly handled by Google. This is one of the reasons hold me back from recommending Google Checkout for business.
hm, hope this isnt the start of a lot of mistakes… they hold a _lot_ of personal information, they need to be building our trust instead of stupid mistakes like this.
Securities risks will always be a part of the internet. this one is pretty obvious tho, but i have the impression that it is due to “autonomies” inside Google.
Although its not as bad as AOLs blunder, Google has some explaining to do. However it did contain credentials of peoples bank accounts and other financial institutions.
Which goes to show you,
you can seek out and hire only the BEST ENGINEERS &DEVELOPERS in the world – out of thousands of highly qualified applicants….
But in the end, despite all the hype and mysticism….. we are All Still Flawed Humans
Old news … I read that somewhere last year. Of course shame on Google for not doing something against it.
403 Forbidden now.
Given their reach and the speed with which people adopt their (perpetually beta) products, they need to have even more layers of process in place to guard against errors like this and the Ajax flaws from a few weeks ago. It’s not a case of “flawed humans”, but competing priorities: quality control vs. rush to market.
As I know, IE7 has this anti phishing feature. how can firefox is slower than IE. Google must improve this. Don’t lose out to MSN/LIVE. Anyway, my country malaysia had alot of phishing cases. One example is happens on our leading internet banking site, http://www.Maybank2u.com. The phishing guy was hosting their server in Russia. Due our stupidness Police, they can do nothing on them because their technology is 10 years behind other country. When phishing happens, they only wiki the meaning of phishing. kakakkaka. If you wan to test out phishing activity, come to my country. Use it as the test bed. I am confirm you will success.
I remember reading a bit about how the TOS for the google phishing filter stated that personal information might be collected and sent to google but no one cared because google is infallible and all.
@10 that’s a great term – “stupidness Police” – I broke out laughing at that one! Sounds like the makings of a comic book or cartoon series.
I dont like the toolbar either. Google isnt a god…Its an overrated search engine in my opinion…..
But on the other hand I do own stock in them….haha
Wow…
Even MS never released its customers personal and financial information.
Let’s add that to the list of crap that Google has pulled in the past year alone, and Google comes out to being the Enron of the software industry, second only to SCO.
It’s a good thing Google doesn’t have any of my personal info…
If this screenshot is only referring to GET requests, then it’s the banks fault to allow that info in the URL’s anyhow.
Otherwise, if their POST’s… oops. Google blunder indeed.
It’s not the actual banks that were using GET requests, it was phishing sites, which I guess don’t care if that data gets out.
come on google, get with the program!
matt
@8 Working agian.. come on google fix
!
This isn’t Google’s fault as such. The only way the information could have gotten there is by the user going to the phishing site, putting their details in, hitting submit, and then reporting it. So they’re screwed anyway.
People need to be reporting it earlier in the cycle, otherwise it’s too late anyway.
In the interests of niceness, Google could scan for obvious things like ‘pass’ in the GET parameters, but doing that automatically is never going to be 100%.
If HIPAA find out, Google will have a lot more explaination to do.
http://www.hhs.gov/ocr/hipaa/
Why Google has so many beta products out there for months and years? When Google can finish the software release cycle?
Ya It’s true but google only index that page wich are linked from another page or website which easy to index or static link to that URL, It’s not new news it often happen. Because Google use robots not manual index and manual is not possible.
Jim
http://www.tatvasoft.com
Would unchecking the option in the new google toolbar be a workaround for this problem?
If use you use Gmail, they run phishing controls on incoming mail. It often gets false positives on Citibank emails.
I tried clicking the “Not a scam” button.
In order to unlock the email and display images, you must agree to send the entire contents of the email to Google’s anti-phishing team. You can’t see your own mail unless you wish to participate in their anti-phishing activities.
Given that the email was from a bank, I just said no thanks.
google is so powerful, it is almost scary
Google should’ve removed all options passed in URLs. That would’ve hidden most sensitive information.
Suppose it was one of *your* “standard” passwords exposed in that list – how many other accounts could that same password have been used to gain access to?
Can it be repeated enough? Do not reuse your passwords.
Now what would be really interesting is to know if the phishers have been mining the anti-phishing tools for data…
If your site is hacked and turns spammy, Google may need to remove your site. Before Google take any action about your site report to google spam report http://www.goog...spamreport.html and read Digital Millennium Copyright Act http://www.goog...e.com/dmca.html
Given their reach and the speed with which people adopt their (perpetually beta) products, they need to have even more layers of process in place to guard against errors like this and the Ajax flaws from a few weeks ago. It’s not a case of “flawed humans”, but competing priorities: quality control vs. rush to market.