Google Security Vulnerability: May share your full name; how Google might help phishers

You must be careful when you share your Gmail address. If you signed up for Google’s mail app with your real name, people knowing certain privacy holes in Google’s applications will be able to find out your first and last name credentials. Google is kind of helping phishers; some of their tools, like Google Lively 3D and Google Chrome, train people to not […]

You must be careful when you share your Gmail address. If you signed up for Google’s mail app with your real name, people knowing certain privacy holes in Google’s applications will be able to find out your first and last name credentials. Google is kind of helping phishers; some of their tools, like Google Lively 3D and Google Chrome, train people to not look at the URL when entering their account credentials.

For instance, Lively 3D chat widget can be embedded into any page and will ask for your password without a visible forward to google.com – so anyone could fake most parts of the application asking for your credentials. And once an attacker got the Google Account credentials, they can do things like reading your email, creating AdWords campaigns under your name, read your Google Docs files and so on, depending on what tools you’re using with Google.

In Google Chrome a special mode allows users to put a website into a pseudo desktop application mode, in which the URL won’t be shown anymore, making it easier to fake a website to fish for user credentials. Let’s say you’re putting application FriendlyApp into the desktop mode and open it next time, and after receiving an email or other message in FriendlyApp you’re asked to re-enter your FriendlyApp password to continue; how would you tell if you’re truly still on friendlyapp.com, or whether someone tricked you onto an external site trying to grab your password? This won’t work with just any friendly application (e.g. an application may open all external links in new windows) but it creates an unnecessary risk for many other apps.

Source:→ Google Blogoscoped