Recently, Aidan Woods, British security researcher has discovered a bug in Google login page. It allows malware attacks and affects all browsers as well as all operating systems. However, Google Security Team has made the decision not to register it as a security bug.
The issue enables the cunning attackers to insert compromised redirect destination after a click on the Sign In button. Furthermore, due to this currently exploitable bug, the attackers can automatically download files on the users’ computers.
Google uses the parameter “continue=/link/” in the login page. Its function is to guide Google server where to redirect the user once he passes through the authentication step. In his experiment, Adrian Woods ascertains that this parameter is vulnerable and can be easily abused. According to him even though the parameter is set to undergo a basic check if the redirect points to *.google.com/*, it could not verify the type of Google service that follows. This, in turn, may cause security issues.
Where Does the Danger of Malware Infection Lie?
Maybe you are wondering:
What could be the security issue regarding the fact that links to different Google services could pass the necessary check on the “continue” parameter implemented in the login process?
Well, let’s turn your attention to Google Drive and Google Docs services which URLs contain the strings drive.google.com and docs.google.com. And to be more concert *.google.com/*. Therefore an attacker could be discerning enough to upload malware to Google Drive or Google Docs account. What follows is to take the URL, go to the official Google login page and hide the link in the URL address. Afterward, they will probably try to mislead users by sending spear-phishing emails that contain their malicious link. Watch out carefully all received emails that provide an option to Google login URL.
“Always check the URL – before entering credentials – including at each stage of the login process.”
By accessing the misleading page, entering the login credentials, and pressing the Sign In button users become victims of cyber-attack. Actually, the click on the Sign In button leads to an automatic download of a malicious file on the PC. Less technical users might be tricked into installing malware on their computers by the smartly named exe files. Names for example:
- Login_Challenge.exe
- Two-Factor-Authentication.exe
Google’s Position on the Case
Adrian Woods has successfully contacted Google Security Team. He had opened several reports on the issue anyway all his reports were closed. On his site, he published the last report and it ends with this statement made by Google:
„Hey,
Thanks for your bug report and research to keep our users secure! We’ve investigated your submission and made the decision not to track it as a security bug…“
He has also provided a video on the faulty login pages.
