Google search apps packing 'phishing flaw'

A security flaw in Google's search appliances could expose websites that use the products to info-stealing phishing attacks, experts have warned.

The Google Search Appliance and Google Mini are used by organisations including banks and universities to add search features to websites. A flaw in the way the systems handle certain characters makes it possible to craft a web link that looks as if it points to a trusted site but when clicked serves up content from a third, potentially malicious site.

John Herron, a security expert who maintains the NIST.org site, said in an email: "This vulnerability affects a lot of very large websites. It basically allows a virtual defacement of a website when following a malicious link."

Want more photos?

Click here to browse the full archive of our photo stories.

The vulnerability provides cyber crooks with a hook for phishing attacks. Phishing scams typically use spam email with a link to a fraudulent website.

Google found out about the problem last week, a spokesman for the company said in an email. "We have notified all customers and provided them with clear instructions on how to protect their appliances," he wrote, adding that no Google Search Appliance or Google Mini users have reported any exploits of the flaw.

Google sent an advisory to all customers on 22 November, the spokesman said. The vulnerability will also be addressed in the next release of the products, he added.

The cross-site scripting problem involves 7-bit Unicode Transformation Format (UTF) character encoding. Jeremiah Grossman, chief technology officer at WhiteHat Security, which specialises in web application flaws and protection, said: "This particular vulnerability is clever because of the encoding hack."

One way internet users can protect themselves against attacks that attempt to exploit the flaw in the Google appliances is to inspect web links. The rigged links will be very long, according to security experts.

Users of the Google appliances who have not heard from Google should contact the company for a fix. Grossman said: "Website owners must be diligent about finding and fixing vulnerabilities, [since] even products supplied by well-known brands possess these extremely common issues."

Joris Evers writes for CNET News.com