digg

Facebook Connect Join Digg About

Google to launch Gmail Plus service?

ericfarraro.com Don't trust the URL -- things are not as they seem. A clever exploit in a little known Google service could be used to launch phishing attacks, by imitating Google services -- hosted on Google's own servers! Read the article for more information, or see a proof of concept in action: http://www.google.com/u/gplus.

Who dugg this? Made popular Sep 15, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

77 Comments

show profanity settings
expand all
  • emildew, on 10/12/2007, -4/+33Were you stupid enough to put a real username and password in there after you were specifically TOLD it was a phishing expedition?

    Sheesh.
  • hulkdigg, on 10/12/2007, -1/+27WOW - impressive spoof with the google.com in the URL.
  • eric1, on 10/12/2007, -0/+26Hey guys,

    Thanks for helping me get to the front page :)

    Epoch's comment pretty much summed it up. Basically Google lets you write custom headers that surround the search results. You can encapsulate said headers with a div, remove them with Javascript, and add your own content. In this case, I added a 'login page' for Gmail plus. Anyone who understands even a little about security should immediately grasp this.

    For ther person who asked, /u is used by Google for this 'Public Search Service'. When you use the service, your URL will look like: http://www.google.com/u/mysearch?q=blahblah. IMO, this is the ONLY tipoff that this is not legit.

    If you 'fell for it', don't worry about it -- I really am not capturing anything :) The PHP page is just a simple echo POST, there is no database behind it, or other method of stealing your information.

    The phishing site is still up, but the reason I posted it is because Google took down the login page for the service after I notified them about it. I wanted to make sure that other people could not exploit this to their advantage before I announced it.

    Thanks again for digging this story!
  • eric1, on 10/12/2007, -3/+28Just a note: this exploit has been 'fixed' by closing the service temporarily, so it should be okay to disclose details of the exploit. It's quite interesting.
  • epoch, on 10/12/2007, -0/+23For those who don't understand.

    Google serves a page like this:

    ----------------
    header
    ----------------
    search results
    ----------------
    footer
    ----------------

    The public service allows users to customize the header/footer sections of the page and google inserts the results. By adding some Javascript or CSS to the header and footer, it is possible to hide the search results completely and therefore fill the page with whatever you want. In this case, a scary-realistic Gmail-Plus login page which I almost fell for.

    Does that help?
  • lobsang, on 10/12/2007, -2/+23The ingenuity and simplicity of this spoof are really admirable.
  • valona, on 10/12/2007, -15/+32If this was MS or Yahoo or pretty much anyone else, people would be blowing off about security, the evil corporate giant etc etc. But with Google, we get the fanboys out in force (despite the concept of someone being a fanboy of a webpage being the saddest thing ever), spouting forth such nuggets as "Nice find", "Elegant exploit", and the chief king of acceptance "Glad to see that there is an honest man who took the time and effort to notify Google of the problem. Thanks. I'm a devoted fan of Google." This exploit has been on the web for the past 14 hours and it is still active. Just because this guy revealed all, does not mean that others won't have more malicious intents. This is a grade A security issue, and needs to be fixed 12 hours ago. Potentially you could have access to someone's address (via Calendar), credit card details via Checkout. Does no one actually question anymore? Google are a multi-billion dollar publically floated advertising based Internet company, not a bunch of hippies trying to make the world a better place. This level of ball licking makes me sick. Have you lost all your critical faculties?

  • daborg, on 10/12/2007, -0/+14@aniruddha23:

    I believe "how exactly" and "dumbed down" don't really work together here. However, let's see...

    If you're a university or non-profit organization you can use Google to let people search your website. The search results are displayed on www.google.com, giving them a lot of credibility. This guy (ab)used that service to produce a phishing page instead of searching his site. The page collects your google account username and password. Everything on the page is completely fake and made up and has nothing to do with google, but since it appears on www.google.com it seems real.
  • Ghozt64, on 10/12/2007, -3/+17The site is still working for me.

    "You (could have) gotten served!
    Test = username you entered
    Test = password you entered No data was actually taken, just displayed to you :) This is just a proof of concept of what a malicious user could do with this exploit."
  • flipzmode, on 10/12/2007, -0/+13I don't see any possible way that a phishing alert would detect this unless that specific page got blacklisted.
  • DrSkrud, on 10/12/2007, -3/+16Nice catch! That's an elegant little exploit. :)
  • Khlept0, on 10/12/2007, -0/+13Classic case of RTFA.
  • Plik, on 10/12/2007, -0/+12@deltahvy:
    That would cause every single page that has a "search on google" kind of form to be marked as a phishing site ;)
  • inactive, on 10/12/2007, -3/+14it doesnt, site "works"
  • inactive, on 10/12/2007, -0/+11Imagine doing Google's Gbuy instead of GMail... and running a "special" promo to sign new credit card customers up...

    This is truly scary
  • ollywho, on 10/12/2007, -6/+16Glad to see that there is an honest man who took the time and effort to notify Google of the problem. Thanks. I'm a devoted fan of Google.
  • barryyams, on 10/12/2007, -4/+13Glad to see he didn't goatse google
  • rodrigo74, on 10/12/2007, -3/+12Anyone with IE7 could check how its built-in "phishing alert" handles this?
  • webcrumb, on 10/12/2007, -4/+12It looks as though this has been fixed. From http://www.google.com/u/gplus:

    "We're sorry...

    ... but your query looks similar to automated requests from a computer virus or spyware application. To protect our users, we can't process your request right now."

    Plus, is it me or does the Gmail+ concept used actually sound very cool?
  • joshfraz, on 10/12/2007, -1/+8I'm very surprised that Google didn't think about this. It doesn't take much to figure out that letting people add their own headers and footers w/o checking for CSS and Javascript is a bad idea.
  • Alex.w, on 10/12/2007, -2/+8They did, they took the signup page offline as soon as the guy email them about it.. Well handled IMO.
  • inactive, on 10/12/2007, -0/+6I find it unbelievable that in today's world of stupid amounts of Java-script on every website that services providers are not focusing on malicious uses of JS. At my university we use www.blackboard.com 's VLE. I have been able to successfully capture login information for lecturers and admins but no response has been had by blackboard, at least google responded to this and have taken action.

  • morphie, on 10/12/2007, -4/+10What disturbs me more is that it hits digg before google shut the spoof down.
  • emildew, on 10/12/2007, -1/+7The service he used to make that fake page is down, so nobody else can do it while Google works on a way to make this not possible.
  • mapkinase, on 10/12/2007, -0/+5So themadness "lived" the article instead of "reading" it... It is like doing a lab test instead of reading the lecture notes.
  • inactive, on 10/12/2007, -1/+6Firefox Beta 2 did NOT catch this when the phishing site worked as intended. After Google fixed this, FF 2.0 did put up a phishing warning (and a scary one too! Everything suddenly turned dark with red warning messages! It was cool!).

    Seems to be the reverse of what should've happened. Firefox developers, get back to work!
  • eric1, on 10/12/2007, -0/+4They can't possibly have any idea what the site does behind the scenes (it executes a PHP file on my server that displays the information typed in), but they took down the LOGIN for the service, which is what allows you to customize it. You could not sign up for this service today, and use it -- the login page says 'Temporarily Unavailable'.
  • jason2584, on 10/12/2007, -1/+5Firefox's anti-phishing mechanism catches this because its data is provided by Google, and Google flagged it as a phishing site (naturally, it's exploiting their own site!). IE7 wouldn't necessarily catch it because its data is provided by Microsoft.
  • eric1, on 10/12/2007, -0/+4Apparently all the traffic raised a flag at Google and they removed it -- the link provided should still shown screenshots of the exploit in action.
  • ascheinberg, on 10/12/2007, -0/+4How in the heck did this get past the Google code testers? Wow. This isn't really a hack, it's actually a very simple, very common javascript. I can't believe that made it through QA.
  • moneysaver67, on 10/12/2007, -0/+4Would anybody like a GMail Plus invite? I have 67 left... Just kidding.
  • StarManta, on 10/12/2007, -1/+4Aniruddha:

    Basically, Google allows nonprofits and universities and such to create a customized homepage, and they do not allow you to mess with the search box itself - only the header and footer. The idea was, that box would tip off anyone that the page was not quite right if someone tried to exploit it.

    This guy figured out that you could use Javascript to hide that box - essentially, creating a fully customized page hosted under the google.com domain. In this case, one that pretends to steal your google account password. The user doesn't see any red flags, however, because of the domain.
  • themadness, on 10/12/2007, -1/+4OMS my heart jumped about 382.6 beats when it showed me my username and password!

    I must be one SERIOUS n00b *blush*
  • dnite, on 10/12/2007, -0/+3I haven't tried IE7, but Firefox 2 beta 2 DID catch this as a phishing site. The entire site went semi transparent w/ a popup speech bubble coming from the address bar telling the user that this site could result in identify think or invasion of privacy. Anyone find out if IE7's anti-phish works yet?
  • epoch, on 10/12/2007, -0/+3You would have to ask Google about /u/ - it's their directory setup.
  • daborg, on 10/12/2007, -2/+5There's no need to take down the fake exploit page, as it's not malicious. Google plugged the hole by disabling access to the service, and they did that long ago.
  • inactive, on 10/12/2007, -1/+3I think they did but they brought it back up after then found that the guy was not doing anything malicious with it.
  • wicketr, on 10/12/2007, -2/+4Uh oh, someone's going to be working weekends at google. This is a fairly major bug that could do ALOT of damage to the user base if not fixed promptly.
  • purelocke, on 10/12/2007, -1/+3lol. a nice example of how a good phising site works.
  • b2drb, on 10/12/2007, -1/+3anyone tried it on FF 2.0 ?
    Guess FF won't catch this one either... this spoof is different then other spoofs because of the URL being (seemingly) correct.
  • eric1, on 10/12/2007, -0/+2@aclelland: They have taken action (sort of) by shutting down the login page that allows you to add your headers and footers. It is not possible to do this today, if you wanted to, or even log in to an existing 'Site Search' and change it.
  • sakabako, on 10/12/2007, -0/+2They might have changed it so the form goes to Google instead of his server and put up a lookalike. I don't know though, I didn't try it.
  • fffizzz, on 10/12/2007, -4/+5Thats nasty! Nice find, lets hope Google does something about this soon.
  • Satertek, on 10/12/2007, -0/+1I get a cool 'Suspected Web Forgery' warning in Firefox from that site.
  • Mofo, on 10/12/2007, -0/+1Just tried it and google had it shut down. Not only that but firefox 2 beta 2 correctly warned it was a phishing site!
  • Rivetgeek, on 10/12/2007, -0/+1spamming *****
  • webcrumb, on 10/12/2007, -1/+2"You have a surplus colon at the end of your link"

    LOL, that's grammar for you. :) I copied & pasted from the item description. The correct link came up with that error for me.
  • kosten, on 10/12/2007, -0/+1when i try the url, right now, my google toolbar prompts to show this url could be a pishing attack instead of service available.
  • Jugalator, on 10/12/2007, -1/+2Reminds me of a site that turned a part of URL's into HTML markup, possible you could wrap it into <script> tags too. :-p
  • cyssero, on 04/18/2009, -1/+2I am both shocked and amazed. And although I consider myself extremely secure with my information, I would have probably given away my details to this site -- which makes me depressed. The /u/ did raise an eye-brow, so maybe I would have thought twice before doing it.

    Very impressive and appropriate title. And yes, I am still surprised to see that Google have not yanked the page yet.
  • Fetching more discussions...
    Show 51 - 78 of 78 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.