Google acts to cover up phishing hole
Published: 21 Oct 2004 09:20 BST
Google on Thursday fixed a security flaw in its Web search service that could have allowed malicious hackers to modify its pages.
According to a report posted to the Bugtraq Security Focus list on Wednesday, Google's new Desktop Search tool did not prevent a hacker from inserting JavaScript, a programming language, into the Web address of its page image, or logo. That vulnerability could have allowed any rogue third party to change the appearance of Google's Web page to ask for personal data such as credit card numbers from its visitors, what's known as a phishing scam, according to the warning.
Google said it has fixed the problem.
"Google was recently alerted to a potential security vulnerability affecting users of our Web site," a company representative said. "We have since fixed this vulnerability, and all current and future Google.com users are protected."
The warning came only a week after Google released its newest product -- a tool to search the files on a PC alongside Web pages. Security experts have scrutinised the technology, with some interesting finds. Last week, security consultant Richard Smith found clues that could point to a coming instant chat client from the search giant.
Jim Ley posted, in his Web log, the warning about Google's script-insertion flaw, which he said has affected Google's main site for as long as two years. But with the addition of Google Desktop, the flaw became more serious, he said, because "it places the results of a desktop search into the output of a regular Google search." He said that the flaw could have allowed third parties to make a record of all the searches people make.
The flaw primarily had affected people using Microsoft's Internet Explorer Web browser, Ley said.
Did you find this article useful?
65 out of 124 people found this useful
- Share this article:
