By Thomas Claburn
Jan 22, 2007
Information gathered for Google's Safe Browsing extension for Firefox
wasn't safely stored on Google's servers, according to a report issued
by computer security company Finjan.
Finjan today confirmed earlier reports that Google's anti-phishing
blacklist, containing private user names and passwords, was accessible
without protection on Google's servers. The company said that it made
the discovery on Jan. 3, that it informed Google, and that the data is
no longer publicly accessible.
In a statement, Google explained, "Some URLs users submitted to the
Google Safe Browsing project included credential information such as
login and/or password for the Web site they were visiting. We have
removed this information from URLs in the blacklist and created a
process whereby this information is automatically stripped from future
URLs submitted by users. In addition, we are in the process of notifying
the users who inadvertently disclosed this information and suggesting
that they reset associated passwords."
Finjan said in its report, "Such sensitive information could potentially
have been used to compromise user privacy, and could even have been used
for identity theft or financial profit (as users generally have a single
'Web' password for most of their online accounts)."
It could also be used for marketing, if you happen to be selling
Google said 15 people have been notified. There's no indication that the
data in question has been abused.
While Google reacted swiftly to the issue -- one caused by user
carelessness -- it continues to make sensitive personal information
available through its search engine, as do the other major search
engines. And it's up to search engine users to police that information.
As InformationWeek reported in August 2005, searching for terms related
to Social Security numbers using a search engine continues to return
Social Security numbers, key data for identity theft.
In fact, Google is downright helpful when it comes to finding Social
Security numbers: In one case -- and it may be the only one -- Google
will identify an individual whose Social Security number has been posted
online, thanks to a feature in the Google Toolbar that generates search
suggestions based on popular searches. (Evidently, a lot of people have
searched for this person's Social Security number.)
Entering two keywords related to Social Security numbers -- call them
"x" and "y" so as not to compound the problem -- into the Google Toolbar
will produce a keyword search suggestion in the form "x y John Doe."
Selecting the suggested search terms and name, as might be expected,
generates a search results page with the named person's Social Security
A spokesperson for Google said the company's engineers didn't have an
immediate explanation for the auto-generated suggestion, that it was
probably an aberration and that the suggetion would likely be removed.
Google explains the search suggestion feature as follows: "As you type a
search query into the new Toolbar's search box, you'll see a list of
useful suggestions based on popular Google searches, spelling
corrections, and your own Toolbar search history and bookmarks."
A Google spokesperson acknowledged receiving the same suggestion using
the search terms cited above, so it appears that this particular
suggestion was made because the terms represented a popular search
rather than as a result of local search history at any single computer.
Google has been aware of the problem of indexing sensitive information
and discusses it in its Help Center. The company points out that its
search index reflects the contents of the Web, and removing sensitive
information from its index does not remove it from the Web. Thus, Google
encourages users to seek to remove sensitive information from the Web
rather than just its index.
Google is willing to help, however. The company says, "If you find a
page in our search results that lists your Social Security, credit card,
or bank account numbers, please e-mail us the URL and we'll contact the
site's hosting company to request that the page be taken down from the
Google also encourages users to use its search engine as a free credit
card and Social Security number monitoring service for Web-based
content. "We also suggest that individuals create Google Alerts for
their credit card and Social Security numbers," the company recommends.
"You can be notified once a day or once a week if a new result appears
on Google for this query."
Or you could just wait for notification of a data breach, as required by
Subscribe to InfoSec News