Gmail Plus Phishing

Friday, September 15, 2006

Gmail Plus Phishing

Don’t enter your password into this site – it’s a proof of concept of how a phishing attack could be launched using the Google Public Service Search. The page looks like it’s official, and it’s indeed hosted on Google.com, but it’s not by Google. You’ll notice by the message you get after logging in:

You (could have) gotten served!

username = username you entered
password = password you entered No data was actually taken, just displayed to you :) This is just a proof of concept of what a malicious user could do with this exploit.

Eric Farraro has more info.

The discussion started in the forum.

[Thanks Yes and TomHTML.]

Gmail Plus Phishing by Philipp Lenssen

>> More posts

Blog | Forum more >> Archive | Feed | Google's blogs | About

This site unofficially covers Google™ and more with some rights reserved. Join our forum!