Google refuses to fix a vulnerability that can be found on its login page which can be exploited by attackers to serve up malware, according to Aidan Woods, a security researcher.
Woods found that login pages on Google allows an app or service to redirect to another page, right after the user signs in. He argues that through this, attackers could trick a user into clicking a Google link that points to a malicious file.
But upon making Google aware of the problem, and after a lengthy conversation with them, the company decided to do nothing about the problem, deciding not to track it as a security bug.
The search giant argues that the redirect page has to be under "google.com" domains, thus limiting any impact.
Despite this, Woods stated that Google Drive or Google Docs could still be utilized by criminals into duping users. He explains about the vulnerability further:
Google"s login page accepts a vulnerable GET parameter, namely "continue". As far as I can determine, this parameter undergoes a basic check:
- Must point to *.google.com/*
The application fails to verify the type of Google service that has been specified. This means that is is possible to seamlessly insert any Google service at the end of the login process.
Furthermore, Woods says that it is possible to specify an open redirect through "https://www.google.com/amp/[any_domain_here]," as well as an arbitrary file, given that the link is uploaded through Google Drive, like so:
- https://docs.google.com/uc?id=[file_id_here]&export=download
Google explains why they did not consider it to be a serious issue:
Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users" data are in scope, and we feel the issue you mentioned does not meet that bar.
Despite all this, we advise our readers to be careful with where they go to on the internet, especially if it is asking for login credentials. Phishing attacks are everywhere on the internet, and it is best to be wary about what we do online.
Source: Aidan Woods via ZDNet