digg

Facebook Connect Join Digg About

Google's antiphishing plugin leaked passwords

arstechnica.com A recent press release from web security provider Finjan Inc. has exposed a security flaw with Google's antiphishing browser extension for the Firefox web browser. Apparently, the extension accidentally gathered some users' e-mail addresses and passwords.

Who dugg this? Made popular Jan 23, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

30 Comments

show profanity settings
expand all
  • OBKenobi, on 10/12/2007, -10/+25"Accidentally." Just like Google desktop search and Google web accelerator was doing the same thing? How is it that Google repeatedly manages to steal people's stuff?

    Maybe these are all harmless coincidences, but this is why you don't trust corporations with your sensitive data.

    Is Google "evil"? I don't know. Do you? Will they become evil five years from now? Will they comply with the NSA/CIA/FBI/MAFIAA/NWO? How do you know if they have or they haven't?

    No corporation is trustworthy unless they GUARANTEE IN WRITING that your privacy and data will be secure. Name one search engine or ISP that guarantees that. What OS guarantees that? Yeah, I know how you can communicate securely and create a secure installation of Linux, but the second you go out on the net using an insecure app, or leave your data on a 3rd party server, all that becomes worthless.
  • ThunderIT, on 10/12/2007, -1/+16Google only gave away the passwords of people who fell for the fishing in the first place, and the horribly programmed fishing sites used GET instead of POST so the passwords were in the URL, and google was making a list of fishing URLs

    google would never disclose your password, unless you were to disclose it first.
  • simpleid, on 10/12/2007, -3/+14"Is Google "evil"? I don't know."

    I'm pretty sure that -to be- evil is with intent, I don't see Google intending on being evil by having exploitable software. Have you ever heard of software which could not be exploited?

    Aside, it would be nice if people would be more aware of the risks in using technology, and never rely on one source for any protection/storage/etc.
  • Motocompo, on 10/12/2007, -1/+7Amiga OS 4 Guarantees my privacy.
  • weaksnyc, on 08/14/2009, -0/+5I disagree. If you don't like the "product" (which it's technically not yet) or you don't like the Beta tag, then don't use the software. And don't preach to me about the users being ignorant to what that term means, because this is a FIREFOX extension, not IE. The product is not finished, and is being offered free of charge with the understanding that bugs may exist. End of story.

    In response to other posts above, does anyone really believe these flaws were intentionally written into the programming?? Please put your mind to work on something useful. Google makes excellent products and charges nothing for them (besides a panel of TEXT ads that are actually relevant to the page content).

    *This was a response to a lower post, but it's still relevant...
  • slampaladino, on 10/12/2007, -0/+5OMG an ENTIRE 12 users??!?!

    buried
  • vdxc, on 09/29/2008, -0/+3Exactly, it's been made out that it was Google's fault when it's actually poorly coded websites.
  • sirber, on 10/12/2007, -0/+3If your website sends your password in GET, and no SSL, blame your website, not google.
    Everyone logs those, ISP, your proxy at work, apache logs on the remote server.

    marked as inacurate.
  • inactive, on 10/12/2007, -4/+7why do you need an anti phishing plug in? are you that fing stupid you can't tell when its a scam?
  • dreamlayers, on 10/12/2007, -0/+3Were these passwords for accounts used by phishers or others' passwords stolen by phishers?
  • profOblivion, on 10/12/2007, -1/+3OMG THE SOLUTION IS FIGHT SPAM WITH SPAM WHY DIDN'T I FIGURE THAT OUT!!

    The block button is wonderful. I think I shall click it.

    *click*
  • uberchaoslord, on 10/12/2007, -2/+4Well consider it this way: other corporations: "what do you mean there's a security hole? we have no idea what you mean. Please go on about your (insecure) business.

    Google: Sorry we have a security hole, which we're going to patch soon. Be aware of it for now though please.
  • joebloom, on 10/12/2007, -0/+2"Google's mission is to organize the world's information and make it universally accessible and useful."

    Hmm.. I think e-mails, usernames, and passwords comes within the definition of 'information'. The sneaky buggers.
  • sirber, on 10/12/2007, -0/+1none, simple URL from badly-written websites.
  • mattclare, on 10/12/2007, -0/+1shinda is right!

    The problem was some website had the username and password in the URL, something like http://whitehouse.gov/?email=george&password=skullnbones . Whomever designed the website to use the URL (GET) to pass that information is an idiot and the source of the security problem. Any one looking over your shoulder would see the password in the URL, let alone ISPs, etc.

    Any Firefox plugin that passes off URLs, like del.icio.us for example, would be "accidentally gathered some users' e-mail addresses and passwords"

    Blame Google when Google does something bad - this is the result of poor web designers who need to read one of the 500 "Securing PHP" articles on digg.
  • jrbrewin, on 10/12/2007, -1/+2glad i'm using IE. :->

    crweaks23 - if you believe all firefox users are geeks, you're more stupid that you first appeared. most firefox users use it because their friend told them to after they got malware dropped on their pc through IE, not because they like to download and compile the latest firefox code themselves.
  • senfo, on 10/12/2007, -1/+2@mikesbaker,

    Some phishing sites are quite deceptive, even with their domain names. But you're making a very bad assumption by assuming that the average web user is both educated enough, as well as proactive enough about verifying that they are in fact on the site that they think they should be on. A user need not be "stupid" to be scammed.
  • Brahma, on 10/12/2007, -1/+1It's very apparent that with a slew of product releases Google is trying to commit harakari. This is the 4th security flaw found in Google's product in less than a month. Agreed they have the famous Beta tag attached to their products, but how about some security auditing (internal or external) before the products are released to the general public.
  • inactive, on 10/12/2007, -0/+0Lol, the anti-phishing plugin turned into the allow-phishing plugin! That is just plain hilarious.
  • jrbrewin, on 10/12/2007, -1/+1all your information are belong to google.
  • 3Den, on 10/12/2007, -0/+0It didn't "Accidentally" do this.

    The websites in question "Accidentally" passed passwords in cleartext in GET urls.

  • shinda, on 10/12/2007, -1/+1Your intellect is starting to rival that of the average Microsoft user.

    It wasn't Google who screwed up. The sites they cached contained the user/password info of users of THAT site. Google simply collected it, the other site, sites that defraud users, were revealing it, NOT GOOGLE.

    This security 'leak' doesn't even really affect Google, but rather those sites that Google picked up on. We should instead be praising Google for removing the user id and pass that the site is publicly broadcasting from its saved criteria..
  • shinda, on 10/12/2007, -1/+0Then again they didn't do anything wrong now did they?
  • damndj, on 10/12/2007, -3/+1Google's security is starting to rival Microsoft.
  • shinda, on 10/12/2007, -2/+0How about the public use common sense and not devuldge important info or rely on trial/test versions of products??

    Stop blaming the shark, blame the sap who is swimming in the water.
  • uberdesigner, on 10/12/2007, -4/+1Google employees should start hitting the books rather than spend all of their time playing with their retarded toys.
  • LGgeek, on 10/12/2007, -5/+2Google already complies with the PRC and helps them suppress the chinese people by offer the chinese government software to censor a lot more then they could do on there own. If you cooperate with evil you are evil. Anything that is extracting information from your computer and sending somewhere is a security whole and you should NOT use it.
  • shinda, on 10/12/2007, -5/+1So what exactly you trying to say?

    You mad at google or at the media for creating a sense of failure in an imperfect industry?
  • v3rb4t1m, on 10/12/2007, -6/+0in Soviet Russia passwords phish you!
  • simpleid, on 10/12/2007, -8/+1edit:bury-wrong place

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.