Google have fixed a phishing vulnerability that was discovered by Netcraft on Wednesday. Google notified Netcraft that they had closed the vulnerability today at 06:30 BST, making this less-than-two-days response much faster than the two years reported by Jim Ley when he discovered a separate but similar bug.
Both problems would have allowed fraudsters to inject their own content onto Google’s web site, making the content appear to be published by Google. This is a very effective form of phishing, as people are more likely to trust content if it appears to be hosted on a familiar domain.
The vulnerability was in the application used to search Google’s own web site, which was on the host googlesite.google.com, which now appears to be unreachable. Searches now appear to run from the parent google.com site instead.
Interestingly, while confirming the fix, Netcraft discovered another application error, which this time revealed fragments of the source code, file structures and application logic that powers the mysterious search behemoth, which we have in turn reported back to Google. At a glance, it is not clear whether the web application stack trace would be useful to an attacker, however, it does confirm the widely held belief that Google are users of the Python programming language.