Complain about a product or service

Google Anti-Phishing Feature Accidentally Reveals Too Much

By Martin H. Bosworth
ConsumerAffairs.com

January 23, 2007

• TSA Site Left Passenger Data Exposed To ID Theft • Connecticut Governor Wants 'Opt Out' For Online Directories • Verizon Gave Customer Data To Government Without Court Orders • House Democrats Probe Warrantless Surveillance • Many Facebook Users Compromise Own Identities • Spy Court Tells White House To Fess Up • FBI Uses Data Brokers, "Risk Scores" To Hunt Terrorists • GAO: "Critical" Weaknesses In FBI Security Network • How Safe Is That Free Wi-Fi Connection? • Businesses Back Off Spy Chips • Insurer Unlawfully Poached Consumers' Credit Reports • GAO Cites Medical Privacy Issues • Google Anti-Phishing Feature Accidentally Reveals Too Much • Bush Spy Program Placed Under Court Review • "National Security Letters" Used To Examine Americans' Financial Records • Bush Gives Himself Authority to Search the Mail • Court Shuts Down "Media Motor" Spyware Operation • Consumerists Want FTC Probe of Online Advertising • Firefox/Google Team Up To Fight Phishing • Schwarzenegger Terminates Spychip Bill • For Sale: Your Health Care Records • Xanga.com Fined for Children's Privacy Violations • Facebook Does an About Face • Chase Trashes Tapes Containing Circuit City Customers' Data --- • More Privacy News ...

A feature developed by Google to add Web sites suspected of "phishing" to a blacklist inadvertently collected the personal and financial information of its users, according to the Finjan security firm.

Google's "Safe Browsing" feature warns users if a site they are about to visit is a "phishing" site, designed to purloin visitors' financial information for the benefit of hackers.

Google keeps a "blacklist" of catalogued phishing sites available and regularly updates it, but Finjan's researchers found evidence of submitters' personal information being included on the list, without any privacy protection.

"After examining the data provided in these files, Finjan found that sensitive user information was available on the web with no access protection, including emails, usernames, passwords and session tokens that could be used by hackers to compromise users' privacy," said Finjan's chief technology officer Yuval Ben-Itzhak in a statement.

Google issued a statement saying that the offending data was removed, which Finjan independently verified.

"We have removed this information from URLs in the blacklist and created a process whereby this information is automatically stripped from future URLs submitted by users," the company added.

The story was initially picked up by Michael Arrington at the TechCrunch blog, and independently confirmed by San Jose, CA-based Finjan. The firm published pictures of the list, with the personal information redacted to prevent misuse.

The current Google antiphishing list -- minus the offending data -- is still publicly available.

Google's Safe Browsing system was incorporated both into the new Google Toolbar for Firefox, and the newest version of Firefox itself.

When Firefox 2.0 was released in October, observers noted the potential privacy risk of sending information about visited sites to Google.

Some critics said the incident was reminiscent of the massive AOL data breach, where researchers published the private search data of 600,000 subscribers, albeit on a much smaller and less damaging scale.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Back to the top |