Comments on: Google exploit

Question: Google exploit

Jimbob — Fri, 15 Sep 2006 03:52:51 -0800

Can someone explain to me what this: http://www.google.com/u/gplus is all about? How is it done? Hint: you may not want to enter your real Google login details into the form.

This popped up on del.icio.us today. I'm trying to work out how someone scored a google.com/* address to run fake password-grabbing login page on. What's the trick?

By: gleuschk

gleuschk — Fri, 15 Sep 2006 04:21:02 -0800

Why do you say it's a fake?

By: Jimbob

Jimbob — Fri, 15 Sep 2006 04:23:51 -0800

Well, because I doubt it's official Google corporate policy to set up a page claiming to be offering a "Limited Beta of Gmail Plus!" that sends you off to a remote domain that tells you the password you typed in.

By: gleuschk

gleuschk — Fri, 15 Sep 2006 04:26:39 -0800

Ah, ok. I entered jimbob/wtf for the username/pwd, and got back

You (could have) gotten served!
jimbob = username you entered
wtf = password you entered
No data was actually taken, just displayed to you :) This is just a proof of concept of what a malicious user could do with this exploit.

The URL in the address bar is http://www.monthsbehind.net/google.php

By: wilful

wilful — Fri, 15 Sep 2006 04:34:29 -0800

So to repeat JBs question, wtf is going on?

By: pheideaux

pheideaux — Fri, 15 Sep 2006 04:39:52 -0800

That is really bizarre. It is not character spoofing because the trick still workes if one types the URL into the address bar. The monthsbehind.com root directory is not helpful at all. Is this a prank by an internal Google employee?

By: jessamyn

jessamyn — Fri, 15 Sep 2006 04:43:27 -0800

Usually in situations like this, I blame the interns.

By: jessamyn

jessamyn — Fri, 15 Sep 2006 04:46:27 -0800

You can see the same effect with other pages under the u directory like this: Electronic visualization lab. This page Cobranded University Search seems to shed some light on to it. It's their university offering.

By: edd

edd — Fri, 15 Sep 2006 04:50:39 -0800

Right, ucdavis.edu is mentioned in the source of the dodgy page.

By: jedrek

jedrek — Fri, 15 Sep 2006 04:52:02 -0800

The google /u/ pages are custom search pages for various organizations, especially universities and schools:

Google's own example.

The schools have total control over the content of those pages, so they can easily perform a hack like the gmailplus one. I'm glad someone demonstrated this exploit.

By: jessamyn

jessamyn — Fri, 15 Sep 2006 04:52:26 -0800

More here, here here and description of other schools in the program here, though gplus is not on the list.

By: matthewr

matthewr — Fri, 15 Sep 2006 04:55:03 -0800

I'm not sure exactly what's going on here, and I suspect Google will take it down shortly.

Basically: google.com/u contains various legit Google pages.
For example, try /blah, /test or /2. The /test one mentions cobranded university search. Perhaps a mischevious university employee has access to upload a page to /gplus?

By: matthewr

matthewr — Fri, 15 Sep 2006 04:55:41 -0800

Whoa, I need to refresh more often and use preview.

By: jessamyn

jessamyn — Fri, 15 Sep 2006 05:03:43 -0800

I sent an email to the guy who has the monthsbehind domain registered to let him know that the link to that page is now out in the wild. His info is easy to find on whois, so this was probably some sort of example page and not an intentional nefarious hack.

By: Jimbob

Jimbob — Fri, 15 Sep 2006 05:04:58 -0800

I send an email to the guy who has the domain registered to let him know that the link to that page is now out in the wild.

Heh, I wanted answers not action..! I guess this was all a lot simpler than I thought...

By: peacay

peacay — Fri, 15 Sep 2006 05:07:59 -0800

Here's a link to the guy who uncovered it as a potential phishing loophole.

By: Jimbob

Jimbob — Fri, 15 Sep 2006 05:14:55 -0800

Ah ha, now I get it, thanks to Peacay.

Google offers a service for universities to "brand" Google search by specifying their own header and footer.

This makes it possible, if you get onto that service, to insert a "header" and "footer" that makes the page look like a Gmail login, giving you your own google.com URL with a password form that can send the data to whatever site you like.

And they would have got away with it, too, if it wasn't for us darned kids!

By: Coda

Coda — Fri, 15 Sep 2006 17:56:33 -0800

Firefox 2 considers that link to be a phishing attempt.

By: Salmonberry

Salmonberry — Sat, 16 Sep 2006 14:16:41 -0800

Yeah, I get a pop up warning me not to use the page at all. <3 Firefox.

By: jessamyn

jessamyn — Sun, 17 Sep 2006 19:13:19 -0800

I got an email back from the UC Davis people:

Dear Ms. West

We appreciate your concern and you taking the time to contact us.

One of our programming students, Eric Farraro, discovered a security issue
for Google, on their military and university local search engine software,
which actually creates a security risk to Google servers and not the
military/university site.

He ran a legitimate test site to prove his point, under the guidance of his
supervisor, Charlie Turner. When he had proof, he contacted Google, who
immediately took down the specific functionality while they fix the bug.
(It is still down). Eric's site did not actually do any "phishing" - it
strictly returned the information to the person originating the login, to
let them know that had it been a real phishing site, their information would
have been taken and used without their knowledge.

His discovery will certainly save millions from a potentially huge
"phishing" exploit, as any phishing done using this security breach would be
using google's name as a "www.google.com/u/[put whatever you want here] URL
- which of course would be considered a trusted source by many.

Therefore, rest assured that this site was created with both the knowledge
of his supervisor and now of Google - who is working to correct the security
breach that Eric discovered.

Once again, thank-you very much for your inquiry.

Sincerely

Liz Gibson