Google fix second phishing vulnerability
22nd October, 2004
Both problems would have allowed fraudsters to inject their own content onto Google’s web site, making the content appear to be published by Google. This is a very effective form of phishing, as people are more likely to trust content if it appears to be hosted on a familiar domain.
The vulnerability was in the application used to search Google’s own web site, which was on the host googlesite.google.com, which now appears to be unreachable. Searches now appear to run from the parent google.com site instead.
Interestingly, while confirming the fix, Netcraft discovered another application error, which this time revealed fragments of the source code, file structures and application logic that powers the mysterious search behemoth, which we have in turn reported back to Google. At a glance, it is not clear whether the web application stack trace would be useful to an attacker, however, it does confirm the widely held belief that Google are users of the Python programming language.