Google Blogoscoped

Forum

Gmail Plus ? Phising !

TOMHTML [PersonRank 10]

Friday, September 15, 2006
8 years ago11,294 views

/! WARNING, DO NOT TYPE IN YOUR USERNAME AND YOUR PASSWORD ON THE FOLLOWING SITE /!

google.com/u/gplus
really realistic isn't it? But absolutely false!

sources : ericfarraro.com/?p=6 & 3couleurs.blogspot.com/2006/09 ...

Jake's View [PersonRank 10]

8 years ago #

That's cool! (in the spoof sense of ways)

Sam Davyson [PersonRank 10]

8 years ago #

I fully agree with Jake. It is a clever spoof.

/pd [PersonRank 10]

8 years ago #

why is hosted on the google server ??

and I am not seeing an XSS script attack and redirect

/pd [PersonRank 10]

8 years ago #

this is a *very* clever hack!!

Ludwik Trammer [PersonRank 10]

8 years ago #

> why is hosted on the google server ??

www.google.com/u/... hosts websearch in users' design. Here is one that I made about 5 years ago – google.com/u/bednarska

zmarties [PersonRank 10]

8 years ago #

Read the first link – ericfarraro.com/?p=6

It really is hosted at Google.

Having been informed of the problem, Google have suspended the service that allowed such pages to be set up on Google's server, but they have not removed this particular page.

The author claims not to record the passwords – it was just a proof of concept.

Ionut Alex. Chitu [PersonRank 10]

8 years ago #

Nah! You can't be fooled. Google's login page is secured (https). In Firefox, the address bar is yellow.

TOMHTML [PersonRank 10]

8 years ago #

We can't be fooled, but the majority of the users of Gmail doens't look at httpS or not...

Ryan [PersonRank 0]

8 years ago #

Wow.. it's not like Google to not find exploits like this..

I haven't played with pagecreator yet, but I wonder if one can do something similiar with that.

and how did I never know of the /u service? :'(

Corsin Camichel [PersonRank 10]

8 years ago #

ehm, you could read the users *.google.com cookie, right?

Kirby Witmer [PersonRank 10]

8 years ago #

yikes!!!

stefan2904 [PersonRank 10]

8 years ago #

uh, dangerous thing.

Tony Ruscoe [PersonRank 10]

8 years ago #

Corsin, you're right. A bit of javascript could easily post the contents of the cookie to another page, which effectively could be used to login to other Google services regardless of whether the user provided their username and password or not!

It's simply unbelievable that they even offered this in the first place. It should be hosted on a different domain, like they did for Google Page Creator.

Ludwik Trammer [PersonRank 10]

8 years ago #

> It's simply unbelievable that they even offered this in the first place.

This service has been made when Google was only search engine, and there was no Google Accounts. But yes – this is scary. You can check source of google.com/u/gplus – it contains JavaScript (from original Gmail site). Google should automatically strip the user code from any scripts.

Tony Ruscoe [PersonRank 10]

8 years ago #

I see. I understand how something like this could happen. However, I think the only thing they can do now is setup redirects to forward all these pages to another domain – like googlesearch.com/u/plus – to prevent any cookie theft or manually review each page that's already been created.

Stripping out JS code would be another option but some people would genuinely require client-side scripting in those pages. Another option would be to insert a header in each page stating that it's not run by Google, but even that could be open to abuse.

Of course, if someone was to give their details to a page like that, they'd probably give them to a page hosted on a non-Google.com domain anyway – like googletalkplus.com or whatever.

I wonder, when a new service is linked to from numerous blogs, how many people actually check the URL / domain / secure certificate before entering their login details? I would guess that many are so eager to be one of the first to use the new service that many wouldn't even think twice...

/pd [PersonRank 10]

8 years ago #

FWIW, I'll just tuck this link in here.

Its an interesting read on the Google BInary Search Algo hack's (or rather ..malcode .!! :)-

portal.spidynamics.com/blogs/m ...

rxbbx [PersonRank 1]

8 years ago #

it seems google took their actions.. i cant get to the site anymore..

Roger Browne [PersonRank 10]

8 years ago #

Google is using the "We're sorry... but your query looks similar to automated requests from a computer virus or spyware application" message for a lot of things that are not a computer virus or spyware.

This, and searching for 16-digit numbers more than 5 times in an hour.

Kirby Witmer [PersonRank 10]

8 years ago #

>>>>Google is using the "We're sorry... but your query looks similar to automated requests from a computer virus or spyware application" message for a lot of things that are not a computer virus or spyware.<<<

i get the same message..

Nagesh [PersonRank 0]

8 years ago #


Firefox 2.0 Beta 2 tells me that this is a phising site and shades out the contents of the page. Gives me an option to "get in" or "get out"

Jack Hynes [PersonRank 6]

8 years ago #

I'm getting the same result as Nagesh using Firefox 2.0 Beta 2. I think it's the first site I've come across that this has happened. I must not go to many dodgy sites?!

Haochi [PersonRank 10]

8 years ago #

It's not a hack, Google is using that page to test their Safe Browse feature in the Google Toolbar...Remember the blacklist?

Aaron Myers [PersonRank 2]

8 years ago #

No, someone else did code this (wasn't Google) because when you logged in it redirected to another site (not hosted on the Google servers).

Sohil [PersonRank 10]

8 years ago #

[put at-character here] Haochi, no thats a different site.

This really wasn't Google.

Haochi [PersonRank 10]

8 years ago #

Okay, I know now... :(
Official explanation,
googlewebmastercentral.blogspo ...

TOMHTML [PersonRank 10]

8 years ago #

Official explanation... they explains nothing, in fact. Just : "We are not aware of any malicious exploits of this problem and this service represents an extremely small portion of searches."

Roger Browne [PersonRank 10]

8 years ago #

That kind of bland, reassuring "official explanation" is what happens once a corporation gets big enough to employ a public relations department.

A corporation with real integrity would, as soon as they had fixed the problem, link to Eric Farraro's post and thank him for notifying them.

Fortunately, their blog shows backlinks – some of which give the full details.

mroonie [PersonRank 0]

8 years ago #

companies who are commonly imitated by phishers, or even companies who aren't, should take more responsibility in educating customers and also standardizing processes to make phishing attempts more recognizeable so that customers don't fall for them. For example, the general internet user doesn't know the difference between http and https. This kind of information is valuable for the average user. Also, if emails were sent in using some kind of protection/encryption/stamp of authentication, then customers woudln't fall victim to so many phishing attempts.

In the end, it ups company reputation so why aren't more companies being more proactive?
essentialsecurity.com/news_bus ...

K S [PersonRank 0]

8 years ago #

Add this too ...

www.hal10000.de/mkportal/
editor/fckeditor/editor/plugins/
tablecommands/

[Unlinked link, phishing. -Philipp]

Jake's View [PersonRank 10]

8 years ago #

Now when I go there, I get redirected to this page:
www.googlesyndicatedsearch.com/u/gplus

Now it just shows a 404.

[Unlinked link... -Philipp]

This thread is locked as it's old... but you can create a new thread in the forum. 

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!