Finjan, a provider of proactive web security solutions for businesses and organizations, reconfirmed recent reports that Google has unwittingly exposed private user names and passwords on the Google anti-phishing blacklist, which did not use any access protection.

Finjan belives that such sensitive information could potentially have been used to compromise user privacy, and could even have been used for identity theft or financial profit (as users generally have a single "web" password for most of their online accounts).

On January 3, 2007, Finjan's Malicious Code Research Centre (MCRC) researchers discovered that a list of URLs was available and unprotected on Google's servers and immediately informed Google, which acknowledged receipt of the alert about the vulnerability.

Finjan believes the information on the servers had been gathered using Google's anti-phishing browser extension and it has notified all affected users. Recent tests conducted by Finjan confirm that there is no data leakage on the current Google anti-phishing blacklist.

"Finjan became aware of the problem after examining a publicly available list of URLs provided from Google's servers," said Yuval Ben-Itzhak, Finjan's chief technology officer. "Finjan found that sensitive user information was available on the web with no access protection, including e-mail, user names, passwords and session tokens that could be used by hackers to compromise users' privacy."

Finjan warns enterprises that they must minimize the risk of exposing confidential information from similar web applications. Finjan recommends that users make sure that they have proactive protection in their web security solution.

Users are also recommended to check their vendor's research capabilities and their ability to provide up-to-date information which is immediately translated it into actionable security measures.

Finally, Finjan recommends that users examine their egress data policy to make sure that they cover all known and suspicious site access.