ericfarraro.com — Don't trust the URL -- things are not as they seem. A clever exploit in a little known Google service could be used to launch phishing attacks, by imitating Google services -- hosted on Google's own servers! Read the article for more information, or see a proof of concept in action: http://www.google.com/u/gplus.
Sep 15, 2006 View in Crawl 4
eric1Sep 15, 2006Submitter
Just a note: this exploit has been 'fixed' by closing the service temporarily, so it should be okay to disclose details of the exploit. It's quite interesting.
joshfrazSep 15, 2006
I'm very surprised that Google didn't think about this. It doesn't take much to figure out that letting people add their own headers and footers w/o checking for CSS and Javascript is a bad idea.
eric1Sep 15, 2006Submitter
@aclelland: They have taken action (sort of) by shutting down the login page that allows you to add your headers and footers. It is not possible to do this today, if you wanted to, or even log in to an existing 'Site Search' and change it.
hedgeitSep 15, 2006
@webcrumb:You have a surplus colon at the end of your link. Remove it, and the page still works as adverstised.
Closed AccountSep 15, 2006
Firefox Beta 2 did NOT catch this when the phishing site worked as intended. After Google fixed this, FF 2.0 did put up a phishing warning (and a scary one too! Everything suddenly turned dark with red warning messages! It was cool!).Seems to be the reverse of what should've happened. Firefox developers, get back to work!
greatromanceSep 15, 2006
Hopefullly Google will come up with something to work around this exploit. Alot of people could get burned from something like this. But i'm glad there's people out there like this to report these exploits. We need more people like this guy.
Closed AccountSep 15, 2006
"Google to launch Gmail Plus service?" - I know you 'meant well' to attract digg users attention, but please in future label the article correctly.
Closed AccountDec 28, 2006
spamming f**ktard