November 28, 2006

Yesterday, Internet security observers said a design flaw in Google's search appliances could expose websites that use the products to information-stealing phishing attacks.

The Google Mini and the Google Search Appliance are widely used by companies' websites and organizations, even including some banks and universities to add search features to their Web sites.

A security hole in the way the systems handle certain characters makes it possible to craft a Web link that looks like it points to a trusted site, but when clicked serves up content from a third, potentially malicious site.

"Such a vulnerability affects a lot of very large Web sites," John Herron, a security expert who maintains the NIST.org site, said in an email. "It basically allows a virtual defacement of a Web site when following a malicious link."

The security vulnerability provides cybercrooks a "hook" for phishing attacks, scams that try to trick people into giving up sensitive information such as credit card data and Social Security numbers.

Phishing scams typically employ emails with a link embedded in them to a fraudulent Web site.

Reportedly, Google found out about the security risks last week, a spokesman for the Mountain View, Calif. company said in an email yesterday. "We have notified all our customers and provided them with clear instructions on how to protect their search appliances," he wrote, adding that no Google Search Appliance or Google Mini users have reported any exploits of the flaw as of yet.

Google sent an advisory note to all customers on November 22nd, just before the Thanksgiving holiday, the spokesman said. The security vulnerability will also be addressed in the next release of the products, he said.

The cross-site scripting problem involves 7-bit Unicode Transformation Format (UTF) character encoding. "This particular vulnerability is clever because of the encoding code," said Jeremiah Grossman, chief technology officer at WhiteHat Security, which specializes in Internet application flaws and protection.

One way Internet users can protect themselves against attacks that attempt to exploit the flaw in the Google appliances is to fully inspect hyperlinks. The rigged links would be very long, according to security experts.

Owners of the Google appliances who have not yet heard from Google should contact the company for a fix as soon as possible. "Web site owners must be diligent about finding and repairing such vulnerabilities, since even products supplied by well-known brands possess these extremely common issues," Grossman said.

Source: ZD Net