Google search bug could be exploited by phishers

A bug in the Google Search Appliance used by many businesses to search their corporate information could be exploited in a phishing attack, security experts have warned.

The NIST.org security news website warned that a Cross-Site Scripting (XSS) vulnerability in the widely used search appliance affects “a lot of large websites, many that are ripe for phishing exploits”.

The flaw was first reported on a hackers’ website and relates to the use of UTF-7 character encoding to bypass special character input handling. Examples have “demonstrated vulnerabilities at some major websites, including large government sites, major universities, etc”, NIST.org said.

The security website has reported the issue to the US Computer Emergency Readiness Team (US-CERT) and to one of the affected government bodies.

But it warned, “With so many financial institutions and government agencies using this appliance it is only a matter of time before this vulnerability is exploited in a large scale phishing attack.”

Comment on this article: computer.weekly@rbi.co.uk