Nitesh Dhanjani said that Google claims that its Firefox extension protects you from phishing or spoofing. It works by using a blacklist containing pages that have been identified as suspicious and/or misleading based on automated detection or user reports. It also examines pages' content and structure in order to catch potentially misleading pages.
However when Dhanjani had a look at the traffic the extension sent to Google he was surprised to discover how much it was actually sending in clear text which made it a doddle to sniff off the wire.
He said that the extension sends the entire GET request to Google. If a web application were to send private information via GET parameters, this will now be transmitted to Google. The net result is that Google, and anyone who may be watching ends up with a pile of your personal data.
More here. µ
Sign up for INQbot – a weekly roundup of the best from the INQ