Google Loophole Exposes Websites to Phishing Scam
What do several Banks, Credit Unions, Universities, countless business websites, dozens of government websites, and Google all have in common? A new Cross-Site Scripting (XSS) vulnerability- one that affects a lot of large websites, many of those are ripe for phishing exploits.
A security flaw in Google's search appliances could expose Web sites that use the products to information-stealing phishing attacks, experts warned November 27, 2006.
The Google Search Appliance and Google Mini are used by organizations including banks and universities to add search features to Web sites. A flaw in the way the systems handle certain characters makes it possible to craft a Web link that looks like it points to a trusted site, but when clicked serves up content from a third, potentially malicious site.
Several banks, credit unions, universities, business websites, government websites and Google are common in at least one way. They all have a new 'Cross-Site Scripting' (XSS) vulnerability that is harmful for a lot of large websites, many of them capable of 'phishing exploits'. In connection to this, experts warned on November 27, 2006 that a security loophole in Google's 'search appliance' could contact websites to 'information stealing phishing attacks'.
Universities and banks use the 'Google Search Appliance' and 'Google Mini' to upgrade their Websites with 'search features'. A weakness in a system's software enables to design a Web link, which appears to connect a legitimate Website but on clicking shows content from another, possibly malicious site.
'Google Search Appliance' is built from the scratch to take up to a search engine for an organization's Website or 'file server'. Google has priced this device for less than $2,000, which can be set up to run within an hour.
The vulnerability allows cyber crooks to hook phishing attacks and scams, which try to fool people into divulging confidential information like credit card numbers and details of 'Social Security' numbers. phishing attacks work through spam mail that connect to a fake website.
Describing the vulnerability, John Herron, a 'security expert' who takes care of the NIST.org site, says that it affects a number of large websites. It basically defaces a website when it follows a malicious link.
A spokesperson for Google said through e-mail that they discovered the problem in the second last week of November 2006. While notifying all its customers, Google has provided clear instructions appliances' safety. He added that no 'Google Search Appliance' or 'Google Mini' user has come up with any impact of the vulnerability.
Researchers have uncovered several other vulnerable sites, including some very known ones. They have informed the matter to US-CERT.GOV/ CET.ORG and also to one of the government organizations whose site has been affected. Since a large number of financial institutions and government agencies use this appliance, there is little doubt that they will be safe from a large scale 'phishing attack' in the future.
Related article: Google Rectifies Gmail flaw in Three Days
» SPAMfighter News - 01-12-2006