Code that lets organizations put search tool on their own pages could have given a toehold to scammers.
The problem went public when blogger Eric Farraro posted details on Thursday on his software development blog. Farraro said that the customizable code in Google's Public Service Search, which enables nonprofit institutions like universities to install ad-free Google search functions on their Web sites at no cost, could be used to create a page hosted on the google.com domain.
Scammers could then use this to build fraudulent Google pages to lure people into handing over personal information, Farraro noted. He demonstrated this by creating a false "Gmail Plus" page: When unsuspecting visitors to the page tried to use their Gmail password to log in, the site delivered a "You (could have) gotten served!" message.
Search giant Google confirmed the existence of the security hole in a statement posted on its blog on Friday. The company has temporarily disabled all login access to Public Service Search clients and has placed a moratorium on new sign-ups. The search functions on current clients' Web sites, however, remain intact. According to Google, a temporary fix has been installed in the service, with a more permanent one in the works.
The Public Search Service phishing hole was particularly alarming because it used real Google URL, similar to the case of a PayPal flaw found earlier this summer. Many safeguards against phishing depend on being able to identify a fraudulent domain posing as a legitimate one.
Phishing remains a growing online crime, despite attempts by major Web companies to curtail it with browser warnings and add-ons. Recent trends have shown that phishers are beginning to expand their horizons.