G Anti Phishing Toolbar Phishes for the Phishers

Can someone explain how this works.

Google has a list of websites that are phishers.
Anyone can download the list of phishers.

How does that expose the usernames/passwords of real users?
Is it because the phishing sites themselves are vulnerable and you can get the information that they've harvested thus far?

It is hard to show at the moment without an example URL but I will exlain what I believe is happening. I am pretty sure, once the issue has been fixed / discussed at G there will be commentary here from a G rep.

The anti phishing toolbar sits in the browser of a user. Every time that a URL is accessed the anti phishing toolbar checks the URL against a DB of known phishing URLs. One of the URLs within the database accepts name value pairs via GET rather than POST and is a specific Google Gadget, the JavaScript tools that allow you to customise your G personalised home and/or any other page on the internet.

Arguably the anti phishing toolbar is working correctly. It is identifying URLs where a logon and password for a certain site are potentially being captured as the details are being sent in plain text as variables to a specific URL. Unfortunately the URL is (due to it accepting GET requests with the logon/pass combination included) making hundreds (thousands?) of new URLs that are all being stored at G as phishing URLs.

The problem (Google gadget aside for a moment) is that this (constantly growing DB of new URLs) is publically accesable to allow the anti phishing toolbar to verify / warn other users of these URLs.

This is an awkward problem for G and the only answer I can think of is that rather than a specific URL being stored in plain text, a list of hashes should be stored instead?

So, Sammy Sucker uses the google anti-phishing feature. She visits http://phiser.ebay.example.com and gets suckered into delivering her ebay credentials using a GET so the page gets posted to http://phisher.ebay.example.com?user=sammyusername&pass=sammypassword This is then posted to the google phishing list and included in the list without being filtered. That will be interesting to see if it is confirmed...

Greggles. You have it spot on and it is confirmed by me and others.

God damn!

This is like geek site galore reddit.com storing the user passwords in plaintext so that the user can have it emailed back to them, instead of reset (which I've always liked)., according to spez (main developer), and then going, Oops, our database of passwords was stolen, but we won't tell you how or when but your username is one of a hundred thousand, so no one should sweat it too much. O, btw, your email address is associated with your password.

I'm sick of all these noobish admins running large popular operations, be they google, reddit, digg (do you *know* digg has near-zero caching and runs on ~150 servers as a result??), or the host of SEO noobs who totally frack up small businesses' chances of ever being ranked well in the major SEs.

2007: Year of the Noob

Hey Google. Where is the news ?

I've just had confirmation from a Google representative that this has now been fixed so I am happy to share what happened and credit the original source, .especially as El Reg are also covering this

A discussion occured within the the Full Disclosure email list about Google's anti phishing DB. During that conversation JM found that usernames and passwords were being captured and made publically web accesable.

The example URL that JM gave - http://sb.google.com/safebrowsing/update?version=goog-black-url:1:7753 contained many hundreds / over time thousands, of username and password pairs for MySpace. Other sites also had their usernames and passwords stored in the same manner.

The example given in the discussion was a little unusual in so much as (IMHO, without detailed research) I don't think it actually was a phishing attempt although raw logs would show all the tell tale signals of being one.

The logs showed URLs such as:

http://www.ebuell.com/gadgets/myspace.asp?up_Username=EDITED_BY_JASON&up_Password=EDITED_BY_JASON&lang=en&country=us&.lang=en&.country=us&synd=ig&mid=58&parent=http://www.google.com&&libs=EDITED/lib/libcore.js

The reason I say this is slightly unusual is that a guy called Jason Buell is a Widget developer for Google personalised home page widgets. One of his widgets is a MySpace alerter, and it has proved very popular, as according to the cached page within Google itself, on the 31st December Jason was the 40th most popular Google Gadget developer.

As of today Jason isn't even in the top 80

One of Jason's widgets/gadgets is a Myspace notifier and this application calls home with the username and password in plain text. The weird position is in this particular instance we have a Google service, aiming to protect the world from phishing attempts, that is flagging up a Google hosted / promoted service that is generally deployed on a Google domain, that allows proxied interaction with a well phished service in a manner that is insecure.

So Google asks for developers to develop services for its personalised home page, gets them, flags them up as phishing sites, then tells the world about it!!

Nothwithstansing what I have just said, I will re iterate what I said previously. I think the anti phishing toolbar idea is great. I also think that this is one of those problems that can well not have been thought about prior to being seen in action, so don't hold anything against G on this and overall a few days to fix it is a great response. My only criticism is why did the pages stay live with usernames and passwords after Goog were aware of the problem until a fix was effective and allowed the toolbars and other users of the service to continue to provide the protection they were designed to do.

It broke here 1st boys n gals.

Google were notified on the 3rd Jan according to Finjan whereas we posted about it on the 2nd and told Goog prior to the post going live.

A penny to a pound FinJan never credited the true source either - The Full Disclosure Email List