Google Blogoscoped

Friday, September 15, 2006

Gmail Plus Phishing

Don’t enter your password into this site – it’s a proof of concept of how a phishing attack could be launched using the Google Public Service Search. The page looks like it’s official, and it’s indeed hosted on, but it’s not by Google. You’ll notice by the message you get after logging in:

You (could have) gotten served!

username = username you entered
password = password you entered No data was actually taken, just displayed to you :) This is just a proof of concept of what a malicious user could do with this exploit.

Eric Farraro has more info.

The discussion started in the forum.

[Thanks Yes and TomHTML.]


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!