Google unwittingly disclosed sensitive login and password information of more than a dozen users, opening up a can of worms for the search giant by exposing a flaw in its anti-phishing tool.
The security snafu was discovered in Google’s anti-phishing extension for the Firefox Web browser, according to security vendorFinjan, which first discovered the vulnerability on Jan. 3.
The extension accidentally gathered some users’ e-mail addresses and passwords, and then posted the information on the company’s online phishing blacklist, which consists of thousands of fraudulent URLs reported to Google’s anti-phishing tool.
Getting the Word Out
The Mountain View, Calif.-based firm said it has removed the information from the public blacklist.”We are in the process of notifying the users who inadvertently disclosed this information and suggesting that they reset associated passwords,” Google said.
Google has since implemented a tool that can tell when a submitted URL contains log-in data and prevents that information from getting posted to the list. So far, there has been no indication that the data has been abused, according to the company.
Containing the Breach
Although the incident exposed just a relatively small number of users to potential headaches such as identity theft, the log-in information contained on 15 URLs submitted through Google’s Firefox toolbar could have easily created many more problems, Yuval Ben-Itzhak, Finjan’s chief technology officer, told TechNewsWorld.
However, lucky for users of the service, most of the URLs on the list didn’t have log-in information.
Because users generally have a single Web password for most of their online accounts, the “sensitive information could potentially have been used to compromise user privacy, and could even have been used for identity theft or financial profit,” he said.
The breach is similar to an incident last summer in which AOL accidentally exposed millions of search queries from its Web portal. Many of those queries contained private data that was made public on the company’s research Web site.
Preventing Future Problems
To prevent similar incidents, Finjan recommends that Web surfers employ different usernames and passwords for sites they visit, and disable URL sharing and forwarding functions.
“After examining the data provided in these files, Finjan found that sensitive user information was available on the Web with no access protection, including e-mails, usernames, passwords and session tokens that could be used by hackers to compromise users’ privacy,” Ben-Itzhak said.
Finjan has posted a photo of the list containing the URLs on its Web site, with the sensitive information blacked out.