Phishing Attacks possible on Google

A British computer scientist has demonstrated that opportunities exist for fraudsters to launch phishing attacks using cross site scripting bugs on the very widely used Google sites.

Using these conduits, fraudsters would be able to inject their own content onto the site in order to collect credit card details and other sensitive information. Jim Ley's demonstrations include a well crafted credit card submission form which explained that Google was soon to become a subscription-only service at $5 per month, but that users could take advantage of an earlybird special offer to obtain lifetime free searches for just $10.

google2.gif

Google's introduction of the Google Desktop has exacerbated the situation, as Google search results can now include the content of local files. The vulnerability uncovered in the Google Desktop allowed an attacker to search a user's local machine for passwords and report the results directly back to the attacker's own web site.

Ley notes that both of these problems were fixed earlier this morning. However, while investigating his report, Netcraft noticed at least one more serious phishing vulnerability which would allow an attacker to inject their own content using the Google web site. Such links are easily hidden in web forms or disguised as links in phishing mails. Netcraft has notified Google of the vulnerability and will explain the issue when we receive a response from Google.

Although Ley was critical of Google's management of its security@google.com mail address, after Google ignored his multiple notifications of the problem over a two year period, very many large and successful organizations offer similar opportunities for fraudsters to attack their customers and user communities. In recent weeks SunTrust Bank, Mastercard, National Westminster and WorldPay have all become newsworthy for making cross site scripting available on their sites, as although it is a well known risk, it is an easy mistake for programmers to make.

Netcraft provides application security testing and a course on programming defensively to help companies eliminate these kinds of features from their sites.