Minor Google Security Lapse Obscures Ongoing Online Data Risk

Information gathered for Google's Safe Browsing extension for Firefox wasn't safely stored on Google's servers, according to a report issued by computer security company Finjan.

Finjan today confirmed earlier reports that Google's anti-phishing blacklist, containing private user names and passwords, was accessible without protection on Google's servers. The company said that it made the discovery on Jan. 3, that it informed Google, and that the data is no longer publicly accessible.

In a statement, Google explained, "Some URLs users submitted to the Google Safe Browsing project included credential information such as login and/or password for the Web site they were visiting. We have removed this information from URLs in the blacklist and created a process whereby this information is automatically stripped from future URLs submitted by users. In addition, we are in the process of notifying the users who inadvertently disclosed this information and suggesting that they reset associated passwords."

Finjan said in its report, "Such sensitive information could potentially have been used to compromise user privacy, and could even have been used for identity theft or financial profit (as users generally have a single 'Web' password for most of their online accounts)."

It could also be used for marketing, if you happen to be selling security products.Google said 15 people have been notified. There's no indication that the data in question has been abused.

While Google reacted swiftly to the issue -- one caused by user carelessness -- it continues to make sensitive personal information available through its search engine, as do the other major search engines. And it's up to search engine users to police that information.

As InformationWeek reported in August 2005, searching for terms related to Social Security numbers using a search engine continues to return Social Security numbers, key data for identity theft.

In fact, Google is downright helpful when it comes to finding Social Security numbers: In one case -- and it may be the only one -- Google will identify an individual whose Social Security number has been posted online, thanks to a feature in the Google Toolbar that generates search suggestions based on popular searches. (Evidently, a lot of people have searched for this person's Social Security number.)

Entering two keywords related to Social Security numbers -- call them "x" and "y" so as not to compound the problem -- into the Google Toolbar will produce a keyword search suggestion in the form "x y John Doe." Selecting the suggested search terms and name, as might be expected, generates a search results page with the named person's Social Security number.A spokesperson for Google said the company's engineers didn't have an immediate explanation for the auto-generated suggestion, that it was probably an aberration and that the suggetion would likely be removed.

Google explains the search suggestion feature as follows: "As you type a search query into the new Toolbar's search box, you'll see a list of useful suggestions based on popular Google searches, spelling corrections, and your own Toolbar search history and bookmarks."

A Google spokesperson acknowledged receiving the same suggestion using the search terms cited above, so it appears that this particular suggestion was made because the terms represented a popular search rather than as a result of local search history at any single computer.

Google has been aware of the problem of indexing sensitive information and discusses it in its Help Center. The company points out that its search index reflects the contents of the Web, and removing sensitive information from its index does not remove it from the Web. Thus, Google encourages users to seek to remove sensitive information from the Web rather than just its index.

Google is willing to help, however. The company says, "If you find a page in our search results that lists your Social Security, credit card, or bank account numbers, please e-mail us the URL and we'll contact the site's hosting company to request that the page be taken down from the Web."Google also encourages users to use its search engine as a free credit card and Social Security number monitoring service for Web-based content. "We also suggest that individuals create Google Alerts for their credit card and Social Security numbers," the company recommends. "You can be notified once a day or once a week if a new result appears on Google for this query."

Or you could just wait for notification of a data breach, as required by California law.