Phising Exploit Discovered in ‘Google Public Search Service’
If any DIGGers read this, the reason I linked to this blog is because as far as I can tell, I’m the only person to ever come across this; there isn’t any other site to link to.
For ADD readers, you can try out the ‘new Gmail Plus service’ here: http://www.google.com/u/gplus. Article follows below:
Yesterday I mentioned that I had discovered an exploit in a little known service from a major web company. It turns out that that exploit is in a little known service called ‘Google Public Service Search’. This service is meant for universities or other non-profit organizations to add a ‘Google’ search to their website. It differs from the other free Google site search in that it allows you to customize the header and footer of the search results page. It’s interesting to note that the code for your header and footer is actually hosted by Google, on their server.
I actually found this site when asked to add a Google search to one of the pages at work. One problem that people had with the default behavior is that while you can customize the initial search box to your heart’s consent, the search box that appears on the results page is off-limits. This was a problem, because people had asked for the radio buttons say specific things, instead of the default ‘WWW’ and ’some other domain’. I pondered how I could get around this, just out of curiosity (though I suspect this would violate the ToS 
) and tried a simple Javascript alert. Sure enough, when I ‘previewed’ the page, the script was executed. Interesting…
I began to use Javascript to modify the DOM, allowing me to change the search box on the results page. Then I had another idea… I knew that my header was rendered first, then Google’s results, then the footer. I decided to encapsulate the Google search results by placing them in a DIV tag, then closed the DIV tag in the bottom. Right after that, in the footer, I used the Javascript ‘document.getElementById(divID).innerHTML’ property, and essentially, hid all of Google’s search results. I realized that I had created a blank slate, hosted at a Google.com address.
Though this was certainly impressive to me, it would not get the attention of anyone. Most people I know, when I show them I can execute a Javascript alert say “So?”. I decided to up the ante a bit and create a new ‘Google service’, modelled heavily after Gmail, but offering new features. After the Javascript in the footer, I added all of the HTML I needed to render a completely new page, of my choosing. I chose to use a modified version of the Google homepage. For the login form, I directed the user’s input to my server, which simply alerts them that they have been ’scammed’, but reassures them that no information was stolen — I just echo the user’s username and password that they entered.
Similar ‘phishing’ sites could be set up at ANY URL. What makes this type of exploit so insidious is that most people would consider the URL to be safe: http://www.google.com/u/gplus. While Google has suffered from similar attacks in the past, most of them have had suspicious URLs, at least to the advanced user. Using the exploit in this service, a malicious attacker could launch phishing sites that even advanced users could fall for.
Just as a sidenote, the URL of this service always has the form: http://www.google.com/u/something. ‘/something’ can really be anything you want (alphanumeric only, I believe).
The day after I found the exploit, I emailed security@google.com and got a response saying they would follow up with me later. They immediately took down the login page for the service as you can see here: https://services.google.com/publicservice/login. The site has been down since then.
My initial idea was that Google could simply remove script from the headers and footers; however, as my coworker pointed out, you could achieve a similar effect using the CSS ‘hidden’ (I think?) property on the DIV, and not use Javascript at all. It should be interesting to see how Google fixes this issue.
September 15th, 2006 at 6:08 am
Nice hack.. excellent - did you contact google security or just went in full discolure mode directly ??
September 15th, 2006 at 7:30 am
[…] Eric Farraro laat zien hoe je met de hulp van Google Public Search een Phishing Pagina maakt die dankzij de url bijna niet van echt te onderscheiden is. Google heeft inmiddels al gereageerd door de Public Search uit te schakelen. […]
September 15th, 2006 at 7:34 am
[…] Kann Googles “Public Search Service” fr Phishing-Zwecke missbraucht werden? Eine Lcke in der Programmierung macht dies offensichtlich derzeit mglich, wie Eric Farraro feststellte. Durch das Hosting auf der google.com-Domain entsteht tatschlich der Eindruck, man sende seine Logindaten an Google, was aber offensichtlich falsch ist. Ein Proof of Concept zeigt Eric unter http://www.google.com/u/gplus. Wer auf Nummer sicher gehen will, gibt dort aber natrlich nicht seine echten Logindaten ein, sondern probiert es mit falschen Angaben… […]
September 15th, 2006 at 7:36 am
Good find + coding Eric!
September 15th, 2006 at 7:36 am
bitchin.
September 15th, 2006 at 7:41 am
Great man. Amazing proof of concept. I am sure a million users would have fallen for it had you just wanted to. Bravo for staying on the light side.
September 15th, 2006 at 7:42 am
[…] Eric Farraro har upptäckt en säkerhetsbrist i Google Public Service Search. Public Service Search tillåter bland annat att vem som helst kan skapa ett egendesignat sidhuvud och sidfot till det vanliga sökresultatet. Det Eric upptäckte var att man i sidfoten kan infoga JavaScript eller CSS-kod och på så sätt manipulera den vanliga sidan. […]
September 15th, 2006 at 7:51 am
nice work, the funny part is that they can’t disable your account because it would mean temporarily suspending the service and because they use this service to dish out search results to the military and universities, they’re stuck in a tough pickle.
If you were evil you could sell your little exploit (because registrations are disabled, so no one else can do it).
September 15th, 2006 at 7:52 am
I like your disclaimer. Thats really humble. I only dislike articles on digg that are obvious “Blog SPam”. This isn’t. Watch though, someone is going post this story on their blog with a link to you then submit to Digg.
Great Job on uncovering this!
September 15th, 2006 at 7:58 am
Nice find..
September 15th, 2006 at 8:06 am
Good work… I contacted Google expressing my concern as well.
September 15th, 2006 at 8:14 am
Very impressive. And while google.com base domain will generally be trusted and not suspected of phishing, the form information itself is still posted to an external domain.
Hmm.. I wonder - since the page is loaded from the google’s server, could you read session/cookies ?
September 15th, 2006 at 8:18 am
@/pd: Yes, I did contact Google. I got a reply back saying they would follow up with me later, and they immediately took down the login page — meaning no one else can sign up for this after seeing the exploit. I wanted to make sure no one could take advantage of it before I put it on Digg.
@Tony: Yes, I could in fact steal cookies. I don’t know what they contain, but many XSS type attacks to steal cookies to obtain information to falsely authenticate themselves as another user.
September 15th, 2006 at 8:22 am
Hey, that is cool story. Thanks for revealing that security hole in gmail, thou I am not a gmail user myself.
Sounds impressive.
Keep the good work!
September 15th, 2006 at 8:26 am
Blew of my mind when I saw my user id and pwd shown on a third party website… This challenges everything I thought I knew about phishing. I still dont get how it is possible on “Similar ‘phishing’ sites could be set up at ANY URL”. However, since you are smarter than me, I may have to believe that. But I would be curious if you can blog more about it. It couldnt possibly be “ANY”.. Does it ??? ):
By the way, its always nice to have smart guys like you around… thanks for not stealing / storing my uid and pwd…
September 15th, 2006 at 8:28 am
@Mallik:
When I said any, I meant:
http://www.google/com/u/(whatever I want)
So for instance, I had also registered ‘http://www.google.com/u/login’ originally with the service. I could put any word after the ‘/u/ that I want (that isn’t already registered with Google’s service).
September 15th, 2006 at 8:31 am
The party’s over. Google is checking for the url and giving a 403 error now.
I did see it, though, before they shut it down and echo the sentiments above - nice job and good catch!
Very scary that phising sites can be hosted on a trusted domain!
September 15th, 2006 at 8:40 am
[…] Eric has a great post where he exploited the Google Public Service Search. […]
September 15th, 2006 at 9:15 am
a bug from google…
Nice
September 15th, 2006 at 9:37 am
Great find, thank you for posting on digg.
September 15th, 2006 at 9:43 am
Very nice - I have tried injecting code to Google before but never knew about the public service site, though even if I had I wouldn’t have thought to do as you did.
Interestingly as soon as I viewed the page Firefox 2’s Phishing detector went off, so obviously they’ve read this too!
September 15th, 2006 at 10:10 am
Very nice. Here is the CSS code that would do the same thing:
div style=”display:none”
September 15th, 2006 at 10:37 am
hmm, seems google is working on this issue now
September 15th, 2006 at 11:20 am
“I wanted to make sure no one could take advantage of it before I put it on Digg”
Very Ethical - Kudos to you
-
btw, googs took down the ../u/whatever at approx 1030hrs edt
September 15th, 2006 at 11:23 am
Wow, great find! I’m glad it was you who discovered it and not someone of fewer scruples.
September 15th, 2006 at 11:24 am
[…] Krotusblog » Blog Archive » http://ericfarraro.com/?p=6 […]
September 15th, 2006 at 11:38 am
Worse than just phishing… since you could run arbitrary JS, this allows for easy session cookie snatching. It could’ve happened without any user being aware of it at all…
September 15th, 2006 at 11:48 am
[…] Even the mighty G is not immune to javascript exploits and phishing scams. Phising Exploit Discovered in ‘Google Public Search Service’ Posted in Uncategorized | […]
September 15th, 2006 at 12:41 pm
Hi,
Eric Google Phishing GREAT I haven’t seen sommat as good as the you could have esialy got thousands of users fooled and your right about expert user could have been fooled. By the way I am just curious how many people fell for it.
Thanks
September 15th, 2006 at 1:08 pm
Clever Hack…
Eric Farraro discovered a flaw in Google’s University Search program. Essentially you can upload your own markup to make your university search page look nice. The page is actually hosted on Google’s domain, and through the use of Javascr…
September 15th, 2006 at 1:37 pm
Actually the CSS rule would be:
.hide {
display: none;
}
content
You could also do a negative text-indent to move the element(s) off the screen: “text-indent: -9999px;”
September 15th, 2006 at 3:09 pm
Hey, Eric, I want to say thanks for using this for good and notifying Google, instead of exploiting it and creating an internet scam. It takes good-hearted people like you to rid the Earth of viruses, trojans, spyware, and malware.
September 15th, 2006 at 5:15 pm
Gmail Plus? Phishing!…
Eric Farraro, a software developer, found an exploit in Google Public Service Search, a little known service for universities or other non-profit organizations to add a ‘Google’ search to their website and allows you to customize the header…
September 16th, 2006 at 3:05 am
[…] Plus de détails ici : http://ericfarraro.com/?p=6 […]
September 16th, 2006 at 5:07 am
[…] 원리에 대한 설명은 Phising Exploit Discovered in ‘Google Public Search Service’에 있습니다. 실제 피싱 사이트는 http://www.google.com/u/gplus입니다. 파폭에서 google safe browsing을 설치하셨다면 피싱 경고가 나올 것입니다. 지금은 로그인 창이 막힌것 같지만, 설령 로그인 창이 정상적으로 떠도 절대로 실제 아이디와 비밀번호를 넣으면 안됩니다. […]
September 16th, 2006 at 6:21 am
Phising Exploit Discovered in ‘Google Public Search Service’…
Eric Farraro from software.dev discovered a nasty hole in the Google Public Search Service.
Yesterday I mentioned that I had discovered an exploit in a little known service from a major web company. It turns out that that exploit is in a little kn…
September 16th, 2006 at 9:50 am
[…] Eric Farraro found another fairly complex XSS exploit in Google - again. I applaud his technique as it was fairly complex (not your standard variable tampering). […]
September 16th, 2006 at 11:31 am
[…] Ein nicht ganz so bekannter Google Service namens ‘Public Service Search‘ ist laut Eric Farraro gegen XSS Attacken verwundbar und konnte fr ausgefeilte Phishing-Attacken missbraucht werden. […]
September 16th, 2006 at 2:17 pm
Google Phishing Exploit Exposed …
Eric Farraro blogged about his P.O.C exploit on Google Public Service Search. I urge you to read about his exploit and notice that how simple an exploit could really boil down to….
September 16th, 2006 at 8:28 pm
[…] From the software.dev blog: Yesterday I mentioned that I had discovered an exploit in a little known service from a major web company. It turns out that that exploit is in a little known service called ‘Google Public Service Search’. This service is meant for universities or other non-profit organizations to add a ‘Google’ search to their website. It differs from the other free Google site search in that it allows you to customize the header and footer of the search results page. It’s interesting to note that the code for your header and footer is actually hosted by Google, on their server. […]
September 17th, 2006 at 3:09 am
[…] Wie das GoogleWatchBlog schreibt, konnte es durch eine Sicherheitslücke zu Phishing-Attacken bei Google kommen. Das besondere: die ganze Aktion wurde direkt unter der Google.com Domain ausgeführt. Unter der Adresse google.com/u/gplus befand sich eine Login-Page für das angeblich neue GMail Plus - ein Dienst, der gar nicht existiert.Wie es ganz genau geht, kann bei Eric Farraro nachgelesen werden, der diese Lücke mittlerweile an Google gemeldet hat. Die Seite wurde mit Google Public Service Search erstellt. Dies erlaubt es einem Nutzer das Aussehen der Suchergebnisse individuell an die eigene Webseite anzupassen. Damit könnte ein Angreifer also seine persönliche Suchseite so verändern, dass sie wie ein neuer Dienst von Google aussieht. Da die Seite unter der Domain google.com aufrufbar ist, besteht auch Zugriff auf die Cookies dieser Domain. Damit können , auch ohne Login-Daten des Users, Google Accounts entführt werden. Die Seite wurde mitlerweile entfernt, der Google Public Service Search zumindest vorläufig für alle Nutzer gesperrt. […]
September 17th, 2006 at 7:20 am
XSS уразливість в Гуглі…
Нещодавно, 14.09.2006, модний парубок Eric Farraro знайшов нову XSS уразливість в Гуглі. Давненько вже не було чути про Cross-Site Scripting уразливості в серві…
September 17th, 2006 at 9:02 am
[…] Source: eWeek , ericfarraro.com Extracts:” […]
September 17th, 2006 at 12:58 pm
[…] Eric Farraro discovered about a possible exploit discovered that lets you use google.com domain and do you phising expedition. Here is some excerpt from his article […]
September 18th, 2006 at 2:50 am
I cant understand why google didn`t see that one coming…Nice one
September 18th, 2006 at 10:37 am
Wow. Google is becoming very security sloppy. While cross-site scripting attacks are
difficultimpossible? to fully defend against, this was just insecure by design. Allowing user javascript in the google domain is just plain dum (not even deserving of the b), allowing numberous really bad things.September 18th, 2006 at 9:19 pm
Wow nice catch man, good to have people like you on top of things like this
September 19th, 2006 at 9:15 am
This is a GREAT find. Really out of the box thinking. Well done…
September 19th, 2006 at 11:31 am
Hey Eric, great work! I found the link to the ZDnet story this morning in my email. See you in a couple of weeks.
September 19th, 2006 at 7:56 pm
That was interesting! didn’t even notice that there was a Public Service search from Google before this.
September 20th, 2006 at 8:46 pm
[…] 这是eric利用Google公共服务搜索的一个小漏洞做出来的。这也证明了并非所有Google.com上的网页都是安全的,大家必须要时刻提高警惕。 […]
September 22nd, 2006 at 4:26 am
Nice exploit….. had only I got a chance to lay hands on Google Public Search Service….
BTW, doesnn’t GPSS check the authenticity of the organization signing up to put a site on their page…??
September 22nd, 2006 at 8:49 am
@Vijay: Actually, no. Anyone can sign up (well, not anymore). Previously, anyone could sign up and have a page up and running in 5 minutes.
September 22nd, 2006 at 1:56 pm
[…] Opis stworzenia takiej strony na http://ericfarraro.com/?p=6 […]
September 22nd, 2006 at 3:44 pm
[…] Die Möglichkeit, für eine an die eigene Firma/Uni angepasste Suchseite das Layout ändern zu können, kann auch dafür genutzt werden, komplette Phishing-Seiten aufzusetzen, die unter der Domain google.com laufen. Mehr dazu hier. […]
September 22nd, 2006 at 9:06 pm
[…] 这是eric利用Google公共服务搜索的一个小漏洞做出来的。这也证明了并非所有Google.com上的网页都是安全的,大家必须要时刻提高警惕。 […]
September 23rd, 2006 at 6:05 am
Good work man… Keep the world beautiful ..
Kudos to u ..
September 27th, 2006 at 9:47 am
[…] phising scam using google software.dev Blog Archive Phising Exploit Discovered in ‘Google Public Search Service’ quite an interesting find..some guy realising how to scam google users, gladly he reported the flaw and didnt take full use of the opportunity __________________ Web Community […]
November 16th, 2006 at 11:30 am
nice work, I am using this service and they haven’t disabled my javascript that I use for navigation on my site as well as in the header. google did mess up jpeg directory links in the header though, but hover javascript still works.
i believe this is why they allowed scripts on their server, since without this permission many customized headers with javascript navigations would be disabled.
thanks, however, I would like to be able to check in on the search stats of my site’s account, i guess google analytics will have to do
December 28th, 2007 at 6:49 am
AVG download…
…