Finjan had a press release yesterday stating that Google’s anti-phishing blacklist leaks passwords. It seems like Google has already cleaned up the problem, as I can’t find any passwords in the current blacklist found here. Arstechnica, TechCrunch, InfomationWeek, and many others had writeups of this problem.

But what is this blacklist and how did the data get there? The blacklist is a list of url’s that Google classified as a phishing site, which would help end users avoid fraud. So how does google determine this, and how is that data getting transfered? Nitesh Dhanjani has a pretty good writeup about this over at Oreilly. We know that information is getting transfered to google via the safe-browsing extension, but which version is vulnerable to this? The downloadable Google Toolbar has one version, the Firefox extension has another version, and Firefox 2 has a built in version. And as to how the data got there, that was due to poor design from the website(s). The username and password were in the url, and since the extension sends whole urls, that data ended up on Google’s blacklist. I didn’t even think people coded sites in this way anymore!

Michael Sutton also researched the blacklist and talks in detail about it here and here.