Hackers are phishing at Google's Public Service Search page
A researcher has exploited a security hole in Google Public Service Search to create an ingeniously deceptive phishing attack that looks like it's hosted on Google's domain.
http://www.google.com/u...
The fake service, Gmail Plus, which purports to be Gmail + Orkut, doesn't actually capture your user ID and password. Instead, it delivers a "You (could have) gotten served" message when you enter information into the sign-in form.
Eric Farraro discovered the exploit while adding a legitimate Google search box to a Web page at work.
I began to use Javascript to modify the DOM, allowing me to change the search box on the results page. Then I had another idea… I knew that my header was rendered first, then Google’s results, then the footer. I decided to encapsulate the Google search results by placing them in a DIV tag, then closed the DIV tag in the bottom. Right after that, in the footer, I used the Javascript ‘document.getElementById(divID).innerHTML’ property, and essentially, hide all of Google’s search results. I realized that I had created a blank slate, hosted at a Google.com address.
Farraro notified Google of the exploit, and Google has since removed the Public Service Search log-in.
4 votes
