A software developer named Eric Farraro has discovered a vulnerability in Google Public Service Search that could enable scammers to host phishing sites on Google's domain. Yikes! According to this blog entry, a software developer named Eric Farraro has discovered a vulnerability in a little known Google service called Google Public Service Search that could enable scammers to host phishing sites on Google’s domain. Public Service Search (temporarily disabled…I wonder why!) is a free service that allows educational institutions and nonprofits to offer Google’s site search for their domain only. The trick is that Google allows the npos to customize the results page with logos, contact information and other formatting in the header and footer areas of Google’s search results page. According to Ferraro, the vulnerability exists in the way Google supports that customization — basically allowing Public Service Search customers to run any kind of javascript they want on the sear. Ferraro was able to use this feature to create a phony Google login page that would harvest user credentials, etc. Try it out here. The real dangerous part, as you can see from the test site, is that the phishing site is hosted on Google’s servers, and features a google.com domain, which most users would tend to trust. Google has since taken down the Google Public Service Site login and we can imagine some fix is in the works that will disable or restrict javascripting. More info to follow and, hopefully, some comment from GOOG. Security