Google confirms phishing flaw

Google has confirmed a phishing vulnerability on its Public Service Search, and the program remains closed for new sign-ups until it is permanently fixed.

The flaw, noted last week in Eric Farraro's software development blog, allows scammers to enter JavaScript code that could be used to create pages hosted on the google.com domain. They, in turn, could be used in phishing attacks.

"While Google suffered from similar attacks in the past, most of them have had suspicious URLs, at least to the advanced user," Farraro said. "Using the exploit in this service, a malicious attacker could launch phishing sites that even advanced users could fall for."

The Public Service Search application provides cost- and advertising-free searching services for educational institutions and nonprofit organizations across the world.

Cory Altheide, a Google security manager, said on the company's Webmaster Central Blog that a temporary patch is in place and that the search engine giant is not aware of the flaw being exploited for any wrongdoing.

"Our nonprofit and university users are extremely important to us, and we apologize for any inconvenience this may cause," he said last week.

Click here to email Dan Kaplan.

Sign up to our newsletters