[Full-disclosure] Google's blacklisted url database (phishing url database)

[Sûnnet Beskerming]

Hi List,

"How exactly does such data get captured? Somebody placed a link  
somewhere with the url having the user/password in it?"

A bit of digging turns up the Google Gadget that these little MySpace  
gems are coming from (http://www.google.com/ig/directory?url=http:// 
web.ebuell.com/myspace.xml).  Why the developer chose to pass /  
accept authentication details in the URL without warning the end user  
is beyond me.  Perhaps it is related to his claims that it can be  
used as a proxy to access MySpace when the main site is being blocked  
by filters.

Unfortunately for Google, the URLs listed clearly identify that the  
mistake is a result of Google indexing the Google Gadgets that people  
have placed on their sites / Google homepages.  It is interesting to  
see the quality of the passwords on this list of presumably live  
accounts, though I do think that some of the users are a little  
insecure about more than just their passwords...

Even though searching for various elements of the listed URLs across  
a number of the major search engines doesn't turn up anything of  
interest, the author claims that it has been used almost 3.5 million  
times from Google (distinct users would be less, but it would make  
for interesting sniffing).


Carl

Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com