Google Catches Phishing Flaw in Appliances

Security experts are warning the computing world about a new security vulnerability in Google’s  Search Appliance and Google Mini device that may yield more phishing attacks.

The flaw uses a cross-site scripting vulnerability that makes many Web sites “ripe for phishing exploits,” according to, a security group that detailed the vulnerability.

The exploit, allowing search results to include HTML or JavaScript, allows hackers to bypass the way both Search Appliance and Google Mini handle some special characters, triggering what one analyst termed the “perversion of legitimate Web sites.”

“It makes attacks much easier — targets do not have to be ‘phished’ into going to a phony Web site, they actually just go to the legitimate site,” Gartner analyst John Pescatore told

“In many ways, this is more dangerous than phishing e-mail, since it is harder to detect,” Pescatore said.

The vulnerability, which follows a similar exploit in the Google appliances from last year, has not been exploited to anyone’s knowledge, a Google spokesman said in a statement.

The Google spokesman said it learned of the flaw from security group CERT on November 22 and provided customers with instructions on how to fix the problem on the same day.

Google was able to privately inform its customers about the risk, rather than publicly announce the security gaffe as is the case with Microsoft, because the search company has a smaller base of customers, according to Pescatore.

John Herron, who manages the NIST site, praised Google for its quick action.

While Google “did a really good job on this,” Herron said he is concerned many customers are not used to patching the devices designed for small businesses and are likely to be complacent.

Moreover, he said government agencies are already concerned about what impact such security vulnerabilities could have in a time of emergency, Herron said.

“They’re afraid of a coordinated misinformation attack,” said Herron. “People would be led to sites with real government URLs but with fake information.”

Pescatore meanwhile said it flaws in Google product are becoming more common.

“I hope they get better — they can’t live much longer on the reputation of being a friendly vendor, who isn’t Microsoft , if they want to sell to enterprises,” he said.

News Around the Web