Exploiting Google for Phishing

from eric farraro’s software.dev blog:

yesterday i mentioned that i had discovered an exploit in a little known service from a major web company. it turns out that that exploit is in a little known service called ‘google public service search’. this service is meant for universities or other non-profit organizations to add a ‘google’ search to their website. it differs from the other free google site search in that it allows you to customize the header and footer of the search results page. it’s interesting to note that the code for your header and footer is actually hosted by google, on their server.

meaning, you can embed your own code there. ’nuff said. this went full disclosure on the guy’s blog, but google has already seen it and took care of it, as the site now returns a 403 when you attempt to reach it.

still, google has yet to fix their open redirectors, which are being publicly used for phishing users for a very long time now. that is not a very easy problem to solve, but we haven’t seen any committment from google to solve it, either.

gadi evron,

  • http://aviv.raffon.net Aviv

    Yeah, open redirectors is a big problem.
    Even netcraft, who recently started a “catch phishers for an ipod” game, introduce the same issue on their own website.