Finjan Inc., the global provider of best-of-breed proactive web security solutions for businesses and organizations, today announced that it reconfirms recent reports that Google have unwittingly exposed private user names and passwords on the Google anti-phishing blacklist, which did not use any access protection. Such sensitive information could potentially have been used to compromise user privacy, and could even have been used for identity theft or financial profit (as users generally have a single “web” password for most of their online accounts).
On January 3, 2007, Finjan’s Malicious Code Research Center (MCRC) researchers discovered that a list of URLs was available and unprotected on Google’s servers and immediately informed Google, which acknowledged receipt of Finjan’s alert about the vulnerability. Finjan believes the information on the servers had been gathered using Google’s anti-phishing browser extension. Google has fixed the problem, and it is assumed that Google has notified all affected users. Recent tests conducted by Finjan confirm that there is no data leakage on the current Google anti-phishing blacklist.
“Finjan became aware of the problem after examining a publicly available list of URLs provided from Google’s servers” said Yuval Ben-Itzhak, Finjan’s Chief Technology Officer. “After examining the data provided in these files, Finjan found that sensitive user information was available on the web with no access protection, including emails, usernames, passwords and session tokens that could be used by hackers to compromise users’ privacy.”
Finjan offers the following advice to minimize the risk of exposing confidential information from similar web applications:
Pointers for home users:
- Avoid sharing your browsing habits with third parties by disabling URL sharing or forwarding - as this is usually enabled in your browser’s toolbars.
- Use adequate password policy for your web accounts. Do not use the same password for all web accounts. Having the same password for several accounts will compromise ALL of them if just one is compromised.
- Make sure that your PC is adequately protected from malicious software such as spyware and adware that can send out private information. Even when an application’s privacy policy looks sensible, remember that it’s enough for it to send a full URL (including parameters) to disclose your email and other private information.
Pointers for corporate users:
- Make sure that you have proactive protection in your web security solution – chasing the attack vectors after the event is always “too little, too late”, particularly if you get hit by a zero hour attack that your security solution does not recognize. Anti-virus and URL Filtering are not enough!
- Make sure that your security solution is updated for handling new technologies and trends. Security products must protect you from the vulnerabilities rather than just attacks and exploits.
- Check your vendor’s research capabilities and their ability to provide up-to-date information which is immediately translated it into actionable security measures.
- Deploy a web security solution that protects users from being subjected to information leakage by preventing users from visiting phishing sites in the first place. The solution should also prevent any toolbar or add-on that is installed in the browser from getting to see the URL.
- Examine your egress data policy to make sure that you cover all known and suspicious site access (users trying to access phishing sites).
About MCRC
Malicious Code Research Center (MCRC) is the leading research department at Finjan, dedicated to the research and detection of security vulnerabilities in Internet and email applications as well as other popular applications. MCRC’s goal is to continue to be steps ahead of hackers attempting to exploit open platforms and technologies to develop malicious code such as spyware, Trojans, phishing attacks, worm and viruses. MCRC researchers work with the world’s leading software vendors to help patch their security holes, as well as contribute to the development of next generation defense tools for Finjan’s proactive secure content management solutions. For more information, visit our MCRC subsite.
On January 3, 2007, Finjan’s Malicious Code Research Center (MCRC) researchers discovered that a list of URLs was available and unprotected on Google’s servers and immediately informed Google, which acknowledged receipt of Finjan’s alert about the vulnerability. Finjan believes the information on the servers had been gathered using Google’s anti-phishing browser extension. Google has fixed the problem, and it is assumed that Google has notified all affected users. Recent tests conducted by Finjan confirm that there is no data leakage on the current Google anti-phishing blacklist.
“Finjan became aware of the problem after examining a publicly available list of URLs provided from Google’s servers” said Yuval Ben-Itzhak, Finjan’s Chief Technology Officer. “After examining the data provided in these files, Finjan found that sensitive user information was available on the web with no access protection, including emails, usernames, passwords and session tokens that could be used by hackers to compromise users’ privacy.”
Finjan offers the following advice to minimize the risk of exposing confidential information from similar web applications:
Pointers for home users:
- Avoid sharing your browsing habits with third parties by disabling URL sharing or forwarding - as this is usually enabled in your browser’s toolbars.
- Use adequate password policy for your web accounts. Do not use the same password for all web accounts. Having the same password for several accounts will compromise ALL of them if just one is compromised.
- Make sure that your PC is adequately protected from malicious software such as spyware and adware that can send out private information. Even when an application’s privacy policy looks sensible, remember that it’s enough for it to send a full URL (including parameters) to disclose your email and other private information.
Pointers for corporate users:
- Make sure that you have proactive protection in your web security solution – chasing the attack vectors after the event is always “too little, too late”, particularly if you get hit by a zero hour attack that your security solution does not recognize. Anti-virus and URL Filtering are not enough!
- Make sure that your security solution is updated for handling new technologies and trends. Security products must protect you from the vulnerabilities rather than just attacks and exploits.
- Check your vendor’s research capabilities and their ability to provide up-to-date information which is immediately translated it into actionable security measures.
- Deploy a web security solution that protects users from being subjected to information leakage by preventing users from visiting phishing sites in the first place. The solution should also prevent any toolbar or add-on that is installed in the browser from getting to see the URL.
- Examine your egress data policy to make sure that you cover all known and suspicious site access (users trying to access phishing sites).
About MCRC
Malicious Code Research Center (MCRC) is the leading research department at Finjan, dedicated to the research and detection of security vulnerabilities in Internet and email applications as well as other popular applications. MCRC’s goal is to continue to be steps ahead of hackers attempting to exploit open platforms and technologies to develop malicious code such as spyware, Trojans, phishing attacks, worm and viruses. MCRC researchers work with the world’s leading software vendors to help patch their security holes, as well as contribute to the development of next generation defense tools for Finjan’s proactive secure content management solutions. For more information, visit our MCRC subsite.
