Google Public Service Search makes for easy phishing

You might want to be very careful before entering your username and password on any “new” services from Google. Developer Eric Farraro has uncovered a potential hole in Google’s Public Search Service that allows a malicious (or mischievous) person to put up a fake Google sign-in page to collect usernames and passwords for real Google services.

I found a question this morning on Ask MetaFilter about a supposed new service called Gmail Plus. The URL, www.google.com/u/gplus, looked legit. In my pre-caffeinated state, I almost entered my Google username and password to see what sort of pre-announced Google service this MeFi-er had turned up. Instead, I went ahead and checked the comments and found that signing in would have been a very, very bad idea.

Turns out, it’s a page created by Farraro to demonstrate a potential exploit in Google’s Public Service Search:

This service is meant for universities or other non-profit organizations to add a ‘Google’ search to their website. It differs from the other free Google site search in that it allows you to customize the header and footer of the search results page. It’s interesting to note that the code for your header and footer is actually hosted by Google, on their server.

I actually found this site when asked to add a Google search to one of the pages at work. One problem that people had with the default behavior is that while you can customize the initial search box to your heart’s consent, the search box that appears on the results page is off-limits. This was a problem, because people had asked for the radio buttons say specific things, instead of the default ‘WWW’ and ‘some other domain’. I pondered how I could get around this, just out of curiosity (though I suspect this would violate the ToS 🙂 ) and tried a simple Javascript alert. Sure enough, when I ‘previewed’ the page, the script was executed. Interesting…

I began to use Javascript to modify the DOM, allowing me to change the search box on the results page. Then I had another idea… I knew that my header was rendered first, then Google’s results, then the footer. I decided to encapsulate the Google search results by placing them in a DIV tag, then closed the DIV tag in the bottom. Right after that, in the footer, I used the Javascript ‘document.getElementById(divID).innerHTML’ property, and essentially, hid all of Google’s search results. I realized that I had created a blank slate, hosted at a Google.com address.

Most phishing scams have a suspicious URL that an alert (or sometimes even semi-alert) user can spot easily. With the Google Public Service Search, though, users may not think anything of a service being hosted on Google itself. The “u/servicename” URL just doesn’t look all that odd unless you’re already familiar with the Public Service offering.

Farraro says he’s notified Google security about the bug, but in the meantime, it would pay to be very careful, and avoid providing your Google credentials to any Google services with the /u/servicename construction.