digg

Facebook Connect Join Digg About

Google Blacklist Contained Confidential Information

techcrunch.com Internet security firm Finjan will announce on Monday that Google’s much-discussed anti-phishing blacklist contained confidential usernames and passwords of individuals, including credentials for accounts at banks and other financial institutions.

Who dugg this? Made popular Jan 21, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

33 Comments

show profanity settings
expand all
  • Kavok, on 10/12/2007, -2/+26Why the hell are passwords in the URL to begin with?
  • podgey22, on 10/12/2007, -8/+22mirrorfan? Another spamming account? ***** OFF AND DIE IN A BURNING CAR
  • D3koy, on 10/12/2007, -2/+12there oughta be a 24 hour waiting period between signing up and commenting...
  • Krzysean, on 10/12/2007, -4/+12Mirrorfan, please ***** die.
  • loof, on 10/12/2007, -0/+7@scubajim

    Do you really think google sold your address within 10 mins of you and a friend signing up? I get spam at my site for address that don't exist because the spambots just randomly come up with possible names and send them to @ my site. Which automatically forwards anything to my main mailbox.
  • PathDaemon, on 10/12/2007, -0/+7'Cuz it's a phisher's site and phishers don't give a crap about privacy.
  • lozaning, on 10/12/2007, -1/+7@scubajim
    you do realize that spammers dont care if they send email to email addresses that dont exist. if you picked a very generic email address like "tom@gmail.com" you can sure as hell bet your going to get spam. spammers know that with several thousands of people registered with gmail one of them prolly has "tom@gmail.com". go re register with an email address of "9dn489ynd84hsdkcnc8y4klhg8yu4hnfd8yddnkfd84yungr9h@gmail.com" and see how much spam you get.

    damn scubajim, others beat me to giving you the smack down
  • inactive, on 10/12/2007, -2/+6@scubajim

    ***** there are some stupid people out there
  • onidraky, on 10/12/2007, -1/+4@scubajim

    I've had my gmail address for years now and I have yet to get a single spam email. Have you ever figured maybe it's just you?
  • estvir, on 10/12/2007, -5/+8.. because it has better anti-phishing ? Or maybe it's the Protected Mode ? Or quite possibly someone prefers the GUI ? Or maybe it's the good RSS integration ? Or ..

    I could go on for awhile. FF may be for you (And me), but for others, they like IE7.
  • dbre2, on 10/12/2007, -0/+3I dont' see why Kavok is getting dugg down, it's a valid question...
  • Krumm, on 10/12/2007, -1/+3How come there are Online Banking details fed over standard http and not https?
    I know it was just plain sloppy of Google to release this into the public domain without stripping the info, but shouldn't the banks involved get an ass kicking?
    Or is this where someone has been successfully phished and their details are in the process of being stolen as they pass through Google?
  • ebob9, on 10/12/2007, -0/+2After viewing the link of phishing sites:
    http://sb.google.com/safebrowsing/update?version=goog-black-url:1:1

    I felt the urge to go to each one and enter tons of fake but believable information. Is it wrong to fight fraud with Spam?
  • akira117, on 10/12/2007, -0/+2And the url: http://sb.google.com/safebrowsing/update?version=goog-black-url:1:1
  • Krumm, on 10/12/2007, -0/+1Well, that would fall under the 'successfully phished' category then. Why not read comments instead of just being a patronizing turd?
  • YellowJKT, on 10/12/2007, -0/+1@ebob9: yeah. and only then they will notice it with a bunch of "username=DIGG password:DOTCOM" entries flooding the DB
  • fatdog789, on 10/12/2007, -0/+1You've got your priorities misplaced.
  • RMorris, on 10/12/2007, -0/+1 ebob9 :
    Not at all, corrupting their data makes it useless and gives them problems when they try to peddle it.
  • amphetameme, on 10/12/2007, -2/+2Okay, hold up. First, confidential information found in what, URLs someone's searched on? Or URLs that are from people's Gmail?

    I think before folks start throwing stones and panicking, you should explain what this blacklist was supposed to be about.
    Not to mention, Google is not about to scrub user's account names and passwords from this "blacklist" if a user (or more importantly the company he was using for his bank) was stupid enough to include things like passcodes in an open url string. Google doesn't have to be smart enough to scrub that crap out for you. You do, and your bank does. I'd get pissed off at the bank long before I got pissed off at Google.

  • kgraves83, on 10/12/2007, -1/+1This is not Google's fault at all. Anyone can get your user name and password if they are being passed through a URL over an unencrypted connection. The fact that it got caught in Google's blacklist just emphasizes why you shouldn't handle login info that way.
  • Kavok, on 10/12/2007, -0/+0Ironically enough if those customers/users have already been phished then the login credentials aren't secure anyways, right?
  • Agret, on 10/12/2007, -1/+1"shouldn't the banks involved get an ass kicking"
    Google don't blacklist real banks, dumbass.
  • ldkronos, on 10/12/2007, -2/+2Yes, its a VERY valid question.

    Whenever I have a password in the form, the form uses POST rather than GET. Using GET (which puts all the parameters in the URL rather than having them hidden) would allow anyone looking at the user's screen to see the password in the browser's URL bar. It will also be recorded in the browser's history.

    Edit: OK....phishing site. That makes sense(though I don't think it warrented burrying Kavok's comment). Thanks PathDaemon
  • WetSplatter, on 10/12/2007, -0/+0Exactly, ANY BANK that uses the query string and not encrypted variables is simply.. assine. Don't blame Google for the banks secuirty risk.
  • rcran, on 10/12/2007, -8/+7Did you see that link he posted?

    Isn't he a nice guy?

    I just LOVE IT when mirrorfan posts links...

    /reverse psychology
  • D3koy, on 10/12/2007, -5/+4Google will be Google...
  • gheide, on 10/12/2007, -2/+1How many of these addresses have an exploitable version of VNC or even Linux?? Or even still active for that matter??
  • NtHammer, on 10/12/2007, -5/+3why the hell are they using IE7!?
  • tom6a, on 10/12/2007, -11/+9This brings up the question (once again) about the information we trust with google and other search engines. Just four months ago AOL released about 20 million search engine records that could be used to id surfers:

    AOL Apologizes for Releasing Search Data from 658,000 Users
    http://www.omninerd.com/2006/08/08/news/864

    Of all the search engines, Google generally holds the reputation of protecting data better than others but they also, I think, store more. Should we be worried?
  • dt40, on 10/12/2007, -5/+2"Don't be evil."

    Indeed.
  • steven401, on 10/12/2007, -7/+4I was thinking the same thing.

    http://www.ie7.com/
  • DenDen, on 10/12/2007, -15/+3Doesn't surprise me, Yahoo's better anyway.
  • scubajim, on 10/12/2007, -23/+1It is amazing how people think Google has user friendly privacy rules. I created a gmail account and within 10 minutes I had spam. I hadn't even sent any mail to it or published the email address. The same thing happened to my friend. Clearly Google is selling the email adress book.

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.