A recent press release from web security provider Finjan Inc. has exposed a security flaw with Google’s antiphishing browser extension for the Firefox web browser. Apparently, the extension accidentally gathered some users’ e-mail addresses and passwords. Finjan informed Google of the problem earlier this month, before making their findings public, and Google has since released an updated version of their plugin that fixed the problem.
How did an antiphishing plugin wind up exposing user names and passwords to the general public? Google’s software used a public blacklist, available from Google’s servers, which listed sites that were fraudulently pretending to be banking or other financial institutions. Unfortunately, some of these sites embedded usernames and passwords directly into the URL—obviously phishing sites didn’t have concerns about security—and were thus viewable by anyone.