Yes, Google’s Anti-Phishing Blacklist Exposed Confidential User Data !

Identity Theft - Phishing : Yes, Google’s Anti-Phishing Blacklist Exposed Confidential User Data !

Posted by Max on 2007/1/24 14:00:00 (949 reads)

Finjan Inc., declared that it backs up recent reports that Google have accidentally exposed private user names and passwords on the Google anti-phishing blacklist, without using any access protection. Such sensitive data could potentially have been used to compromise user privacy, and could even have been used for identity theft or financial profit .

On January 3, 2007, Finjan’s Malicious Code Research Center (MCRC) researchers exposed that a list of URLs was available and not encrypted on Google’s servers and straight away informed Google, which acknowledged receipt of Finjan’s alert about the vulnerability.

Finjan considers the information on the servers had been gathered using Google’s anti-phishing browser extension. Google has long fixed the problem, and it is assumed that Google has notified all affected users. Recent tests conducted by Finjan confirm that there is no data leakage on the current Google anti-phishing blacklist.

For a snapshot of the data leakage page follow this link: Google JPG

“Finjan became aware of the problem after examining a public list of URLs provided from Google’s servers” said Yuval Ben-Itzhak, Finjan’s Chief Technology Officer. “After examining the data provided in these files, Finjan found that sensitive user information was available on the web with no access protection, including emails, usernames, passwords and session tokens that could be used by hackers to compromise users’ privacy.”

Finjan presents the following advices to minimize the risk of exposing confidential data from similar web applications:

Pointers for home users:

1. Avoid sharing your browsing history with third parties by disabling URL sharing or forwarding - as this is usually enabled in your browser’s toolbars.
2. Use proper password policy for your web accounts. Do not use the same password for all web accounts. Having the same password for several accounts will compromise ALL of them if just one is compromised.

3. Make sure that your PC is effectively protected from malicious software such as spyware and adware that can send out private information. Even when an application’s privacy policy looks sensible, remember that it’s enough for it to send a full URL (including parameters) to disclose your email and other private information.

Previous article - Next article

Other articles
2008/8/20 15:06:33 - FRAUDFacts Helps You Fight Identity Theft and Fraud for Life
2008/8/13 16:42:03 - 10 Million Zombies Are Spreading Spam and Malware Every Day
2008/8/11 9:03:35 - Nearly $8.5 Billion Lost by US Consumers because of Online Threats
2008/8/8 6:35:36 - EDS' Eight Tips for Consumers to Protect Themselves from Identity Theft
2008/8/4 11:16:32 - NovaShield, Inc. Launches NovaShield AntiMalware Version 2.0 With 90-Day Free Trial

The comments are owned by the poster. We aren't responsible for their content.