Wow, it seems like even the beloved Google has become a type of security threat. Phishing has just become as easy as a Google search.
You might want to be very careful before entering your username and password on any “new” services from Google. Developer Eric Farraro has uncovered a potential hole in Google’s Public Search Service that allows a malicious (or mischievous) person to put up a fake Google sign-in page to collect usernames and passwords for real Google services.
I found a question this morning on Ask MetaFilter about a supposed new service called Gmail Plus. The URL, www.google.com/u/gplus, looked legit. In my pre-caffeinated state, I almost entered my Google username and password to see what sort of pre-announced Google service this MeFi-er had turned up. Instead, I went ahead and checked the comments and found that signing in would have been a very, very bad idea.
Turns out, it’s a page created by Farraro to demonstrate a potential exploit in Google’s Public Service Search… Source: NewsForge