WastedTimes
Username:   Password: 
Auto Login
  
WastedTimes
A Tribute to SameOLSam & The Limneos Forum
 
 RegisterRegister 
It is currently Mon 11 Nov, 2024
All times are UTC - 5 Hours
Google's anti-phishing plugin leaked passwords


Users browsing this topic: 0 Registered, 0 Hidden and 0 Guests
Registered Users: None


View previous topic Printable versionDownload TopicPrivate MessagesRefresh page View next topic
Author Message
aiolos
VIP Member
VIP Member


Joined: 16 Jan 2006
Posts: 641
Google's anti-phishing plugin leaked passwords
Reply to topic Reply with quote Go to the bottom
PostPosted: Tue 23 Jan, 2007

micros0ft isn't the only one with security issues :


A recent press release from web security provider Finjan Inc. has exposed a security flaw with Google's anti-phishing browser extension for the Firefox web browser. Apparently, the extension accidentally gathered some users' e-mail addresses and passwords. Finjan informed Google of the problem earlier this month before making their findings public, and Google has since released an updated version of their plugin that fixed the problem.

How did an anti-phishing plugin wind up exposing user names and passwords to the general public? Google's software used a public blacklist, available from Google's servers, which listed sites that were fraudulently pretending to be banking or other financial institutions. Unfortunately, some of these sites embedded usernames and passwords directly into the URL—obviously phishing sites didn't have concerns about security—and were thus viewable by anyone.

The fix was a simple one and merely involved Google stripping out any user information from the URL before posting it to the blacklist site. Still, the fact that a tool designed to help stop online fraud could have accidentally revealed sensitive user information is somewhat disquieting, especially given the fact that many people reuse the same passwords for multiple sites.

Finjan recommends that home users disable features found on many web toolbars that enable URL sharing or forwarding, although this would impact many of the latest "social software" utilities that have been popular with Web 2.0 fans. Also, they strongly suggest—and this is always good practice—that users should never use the same password for more than one site. Corporate users are told to use "proactive" protection for their web security solution, as antivirus and URL filtering software by themselves may not be enough.
_________________
I would love to change the world, but they won't give me the source code !
Back to top
Display posts from previous:   
   Board Index
   -> Open Discussion, Open Discussion
View previous topic Printable versionDownload TopicPrivate MessagesRefresh page View next topic

Page 1 of 1  [ 1 Posts ]
 


Jump to:   
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot post attachments in this forum
You can download attachments in this forum

Search: