[ISN] Minor Google Security Lapse Obscures Ongoing Online Data Risk

From: InfoSec News (alerts@private)
Date: Tue Jan 23 2007 - 22:21:38 PST


By Thomas Claburn
Jan 22, 2007

Information gathered for Google's Safe Browsing extension for Firefox 
wasn't safely stored on Google's servers, according to a report issued 
by computer security company Finjan.

Finjan today confirmed earlier reports that Google's anti-phishing 
blacklist, containing private user names and passwords, was accessible 
without protection on Google's servers. The company said that it made 
the discovery on Jan. 3, that it informed Google, and that the data is 
no longer publicly accessible.

In a statement, Google explained, "Some URLs users submitted to the 
Google Safe Browsing project included credential information such as 
login and/or password for the Web site they were visiting. We have 
removed this information from URLs in the blacklist and created a 
process whereby this information is automatically stripped from future 
URLs submitted by users. In addition, we are in the process of notifying 
the users who inadvertently disclosed this information and suggesting 
that they reset associated passwords."

Finjan said in its report, "Such sensitive information could potentially 
have been used to compromise user privacy, and could even have been used 
for identity theft or financial profit (as users generally have a single 
'Web' password for most of their online accounts)."

It could also be used for marketing, if you happen to be selling 
security products.

Google said 15 people have been notified. There's no indication that the 
data in question has been abused.

While Google reacted swiftly to the issue -- one caused by user 
carelessness -- it continues to make sensitive personal information 
available through its search engine, as do the other major search 
engines. And it's up to search engine users to police that information.

As InformationWeek reported in August 2005, searching for terms related 
to Social Security numbers using a search engine continues to return 
Social Security numbers, key data for identity theft.

In fact, Google is downright helpful when it comes to finding Social 
Security numbers: In one case -- and it may be the only one -- Google 
will identify an individual whose Social Security number has been posted 
online, thanks to a feature in the Google Toolbar that generates search 
suggestions based on popular searches. (Evidently, a lot of people have 
searched for this person's Social Security number.)

Entering two keywords related to Social Security numbers -- call them 
"x" and "y" so as not to compound the problem -- into the Google Toolbar 
will produce a keyword search suggestion in the form "x y John Doe." 
Selecting the suggested search terms and name, as might be expected, 
generates a search results page with the named person's Social Security 

A spokesperson for Google said the company's engineers didn't have an 
immediate explanation for the auto-generated suggestion, that it was 
probably an aberration and that the suggetion would likely be removed.

Google explains the search suggestion feature as follows: "As you type a 
search query into the new Toolbar's search box, you'll see a list of 
useful suggestions based on popular Google searches, spelling 
corrections, and your own Toolbar search history and bookmarks."

A Google spokesperson acknowledged receiving the same suggestion using 
the search terms cited above, so it appears that this particular 
suggestion was made because the terms represented a popular search 
rather than as a result of local search history at any single computer.

Google has been aware of the problem of indexing sensitive information 
and discusses it in its Help Center. The company points out that its 
search index reflects the contents of the Web, and removing sensitive 
information from its index does not remove it from the Web. Thus, Google 
encourages users to seek to remove sensitive information from the Web 
rather than just its index.

Google is willing to help, however. The company says, "If you find a 
page in our search results that lists your Social Security, credit card, 
or bank account numbers, please e-mail us the URL and we'll contact the 
site's hosting company to request that the page be taken down from the 

Google also encourages users to use its search engine as a free credit 
card and Social Security number monitoring service for Web-based 
content. "We also suggest that individuals create Google Alerts for 
their credit card and Social Security numbers," the company recommends. 
"You can be notified once a day or once a week if a new result appears 
on Google for this query."

Or you could just wait for notification of a data breach, as required by 
California law.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Tue Jan 23 2007 - 22:33:53 PST