Google Security Hole
A British computer scientist has demonstrated that opportunities exist for fraudsters to launch phishing attacks using cross site scripting bugs on the very widely used Google sites.
Using these conduits, fraudsters would be able to inject their own content onto the site in order to collect credit card details and other sensitive information. Jim Ley’s demonstrations include a well crafted credit card submission form which explained that Google was soon to become a subscription-only service at $5 per month, but that users could take advantage of an earlybird special offer to obtain lifetime free searches for just $10.
…
Ley notes that both of these problems were fixed earlier this morning. However, while investigating his report, Netcraft noticed at least one more serious phishing vulnerability which would allow an attacker to inject their own content using the Google web site. Such links are easily hidden in web forms or disguised as links in phishing mails. Netcraft has notified Google of the vulnerability and will explain the issue when we receive a response from Google.
[ Read more @ Netcraft ]
Links:
– Netcraft: Phishing Attacks possible on Google
– Jibbering musing
– PCWorld.com – Google Security Holes Surface
Thought:
Finally(sorry to say that), there is security problem in the world greatest search engine website. Ley said he reported the problem to Google at TWO years ago.
If that’s truth, then Google’s response to security report really disappointed me and fortunately we are safe in this two years.
Hmm… better uninstall Google Desktop Search for the time being… In fact, I already did it few days ago.