----------------------------------- aiolos Tue 23 Jan, 2007 Google's anti-phishing plugin leaked passwords ----------------------------------- Microsoft isn't the only one with security issues : A recent press release from web security provider Finjan Inc. has exposed a security flaw with Google's anti-phishing browser extension for the Firefox web browser. Apparently, the extension accidentally gathered some users' e-mail addresses and passwords. Finjan informed Google of the problem earlier this month before making their findings public, and Google has since released an updated version of their plugin that fixed the problem. How did an anti-phishing plugin wind up exposing user names and passwords to the general public? Google's software used a public blacklist, available from Google's servers, which listed sites that were fraudulently pretending to be banking or other financial institutions. Unfortunately, some of these sites embedded usernames and passwords directly into the URL—obviously phishing sites didn't have concerns about security—and were thus viewable by anyone. The fix was a simple one and merely involved Google stripping out any user information from the URL before posting it to the blacklist site. Still, the fact that a tool designed to help stop online fraud could have accidentally revealed sensitive user information is somewhat disquieting, especially given the fact that many people reuse the same passwords for multiple sites. Finjan recommends that home users disable features found on many web toolbars that enable URL sharing or forwarding, although this would impact many of the latest "social software" utilities that have been popular with Web 2.0 fans. Also, they strongly suggest—and this is always good practice—that users should never use the same password for more than one site. Corporate users are told to use "proactive" protection for their web security solution, as antivirus and URL filtering software by themselves may not be enough.