The new Firefox plug-in from Google that helps to thwart phishing schemes may itself pose a problem to uses due to a security flaw.
Dr. Szell: Is it safe?
— Marathon Man, 1976
Maybe not, Christian. Nitesh Dhanjani posted some concerns he has about the Google Safe Browsing plug-in for Firefox.
Every request made while using the plug-in goes to Google. Dhanjani tested a legit site and a phishing site, intercepted the traffic, and observed that behavior. The first problem comes with the data being sent to Google:
Every request is transmitted to Google over HTTP, i.e. in clear-text.
Clear-text means plain, easy-to-read text. Dhanjani writes that if a web application is set up to send your information to a site with a GET request instead of a POST, and someone is sitting on the network between the user and Google with a packet sniffer, they can easily see your credit card number or any other personal information.
GET figures in Dhanjani’s second issue with the plug-in:
The extension sends the entire GET request to Google. If a web application were to send private information via GET parameters, this will now be transmitted to Google.
So even if no malicious parties are camping out on the wire and sniffing that information, it’s still traveling in the clear to Google. Typical uses won’t know if their bank or credit card company uses GET or POST for web applications; Dhanjani believes a lot of web applications don’t use POST.
Let’s hope a few people in banking and financial IT pick up on this and check out their applications. Is it safe?
Add to document.write(“Del.icio.us”) | Yahoo My Web
David Utter is a staff writer for murdok covering technology and business.
