- Related Stories
-
'Tis the season to send spam
November 20, 2006 -
Spoofing bug found in IE 7
October 25, 2006 -
Phishers catch on to the Net's 'long tail'
September 12, 2006 -
PayPal fixes phishing hole
June 16, 2006 -
Google unveils enterprise Search Appliance
April 18, 2006 -
Google offers cheaper search appliance
March 2, 2006
The Google Search Appliance and Google Mini are used by organizations including banks and universities to add search features to Web sites. A flaw in the way the systems handle certain characters makes it possible to craft a Web link that looks like it points to a trusted site, but when clicked serves up content from a third, potentially malicious site.
"This vulnerability affects a lot of very large Web sites," John Herron, a security expert who maintains the NIST.org site, said in an e-mail. "It basically allows a virtual defacement of a Web site when following a malicious link."
The vulnerability provides cybercrooks a hook for phishing attacks, scams that try to trick people into giving up sensitive information such as credit card data and Social Security numbers. Phishing scams typically use spam e-mail with a link to a fraudulent Web site.
Google found out about the problem last week, a spokesman for the Mountain View, Calif. company said in an e-mail Monday. "We have notified all customers and provided them with clear instructions on how to protect their appliances," he wrote, adding that no Google Search Appliance or Google Mini users have reported any exploits of the flaw.
Google sent an advisory to all customers on November 22, just before the Thanksgiving holiday, the spokesman said. The vulnerability will also be addressed in the next release of the products, he said.
The cross-site scripting problem involves 7-bit Unicode Transformation Format (UTF) character encoding. "This particular vulnerability is clever because of the encoding hack," said Jeremiah Grossman, chief technology officer at WhiteHat Security, which specializes in Web application flaws and protection.
One way Internet users can protect themselves against attacks that attempt to exploit the flaw in the Google appliances is to inspect Web links. The rigged links will be very long, according to security experts.
Users of the Google appliances who have not heard from Google should contact the company for a fix. "Web site owners must be diligent about finding and fixing vulnerabilities, (since) even products supplied by well-known brands possess these extremely common issues," Grossman said.
- More from News.com on this story's topics
Spam and phishing
Web sites
Fraud
Security threats
Flaws
Google
See more CNET content tagged:
search appliance,
Google Search Appliance,
Google Mini,
phishing,
appliance
... or log in manually to your email client and click the link in our email. Once you have confirmed your registration, please log in.
Dell Laptop only $499!