Google Blacklists Phishing Sites and Steals Passwords in the Process
This morning Legionnaire sent me an email to a post that I thought was worth posting in case anyone else hadn’t seen it. Google is indexing blacklists for it’s anti-phishing technology, but in doing so is stealing usernames and passwords. Bummer! As if it isn’t hard enough to get people to adopt security now people can claim that Google’s built in security is spyware too (not that web accelerator isn’t spyware, but you get my drift).
There is a picture of this issue over on Finjan’s website that shows the accidental logging of the user’s credentials. You can see how Google is doing it, and it’s kinda scary. And the worst part is there really is no good way to insure that they aren’t in there other than either not allowing anything with a username/password pair in the blacklist (which could be used against them) or by trying to strip them out (which again, could be used against them). In these cases I doubt the phishers did anything special with those sites, but that’s not to say they couldn’t. Thanks for the link Legionnaire!
January 23rd, 2007 at 9:59 pm
pretty scary stuff. I just tested something and for a googledork search I put in google:
“@yahoo.com&pass=”
and the second result listed has a website that displays stats for that site. Whats funny is that sites stats script is caching usernames and passwords too.
example:
http://www.dressupcontest.com/save.php?email=badyaya973@hotmail.com&pass=*HiddenToProtectInnocent*&tipo=6&dollhair=4&dolltops=0&dollbottoms=0&dolldresses=1&dollshoes=5&dollaccesories1=0&dollaccesories2=1&dollaccesories3=0&dollaccesories4=0&dollaccesories5=0&dollaccesories6=
January 24th, 2007 at 7:19 am
Haha indeed!
You may even use something more general like “.com@pass=” and variations of this to collect many many authentication details. Some of them are invalid, others are not only valid but that user has used the same password over and over so you practically own his identity.
Of course you can’t go around and ask everyone to filter this kind of stuff (and if they do they’ll create a new exploitation point). So… what do we do? Maybe it’s time to forget about GET variables (I know it’s obvious but apparently not obvious enough!).
January 24th, 2007 at 9:30 am
Ugh… that technique lead me to finding this: http://www.uvm.edu/~bmcelvan/Given/user-pass.txt
Pretty simple, but very powerful technique.