Google Anti-Phishing Blacklist Inadvertently Made User Data Public

Search engine giant Google has erased some usernames and passwords it posted by mistake on a phishing blacklist it gathers and makes open to public through the Web.

Confirming its earlier reports, security firm Finjan reported that Google's anti-phishing blacklist having private usernames and passwords was exposed unprotected, on Google's servers. The company discovered the issue on January 3, 2007 and after informing Google, the data was withdrawn from public access.

Google uses a public blacklist reached on Google servers that lists fake sites pretending to be from banking and other financial institutions. Some of these phishing sites posted usernames and passwords directly on the URL thus enabling viewer ship by anyone.

Finjan noted this sensitive information could be used to compromise user confidentiality and also for identity theft or to gain financial profits. This was easy as users generally have the same web password for almost all their online accounts.

The security firm detected the problem on examining a list of URLs provided by Google servers for the common public, said Yuval Ben-Itzhak, chief technology officer of Finjan in a press release of January 22, 2007.

After assessing the data contained in these files, Finjan discovered that confidential user details were freely visible on the Web without protection. The information included usernames, passwords, e-mails and session tokens that hackers could misuse to compromise users' confidentiality.

15 URLs contained the login information that was submitted via Google's Firefox toolbar. The toolbar helps users to report suspicious phishing web pages. Majority of the URLs belonging to the list did not have login details. Google said it has a mechanism to detect URLs that submit login data but prevent that information from appearing on the list.

Finjan said it was notifying users who inadvertently revealed such information and asking them to set new passwords. IDG News Service reported this e-mailed statement.

The company noted its search index contained web contents and eliminating sensitive information from the index did not eliminate it from the Web. Thus it recommends users to seek removal of such information appropriately from the Web instead of just from the index.

Related article: Google Rectifies Gmail flaw in Three Days

» SPAMfighter News - 1/27/2007