Google had a bit of egg on its face Friday after a programmer set up a site that looked like an upgrade to Gmail, but actually demonstrated a flaw in the site's security.

The fake log-in page for "Gmail Plus" is an example of a phishing site, a forgery of a genuine site designed to fool users into giving up private information such as passwords.

This case was unusual because the phishing site was on Google's own domain,

According to a blog entry byEric Farraro, hemade the page to show a flaw in the design of a little-known Google service called Google Public Service Search, which provides a co-branded search page for universities and non-profit groups.

Farraro was able to set up a page at, created a site that looked similar to the Gmail log-in page and used code written in Javascript to remove the Google co-branding.

Entering account information on the fake log-in page brought up a new page with the message "You (could have) gotten served!" and a copy of the user name and password entered.

Farraro said he notified Google of the exploit the day after he found it. Google has taken down the page and disabled Google Public Service Search.