A security researcher recently discovered and reported a Google Drive vulnerability which could lead to malware attacks.
The bug is unpatched and could allow threat actors to spread malicious files masqueraded as legitimate documents or images. Further, this could then enable attackers to carry out quite successful spear-phishing attacks.
Where does the Google Drive vulnerability reside?
According to the person who reported the vulnerability, A. Nikoci, a system administrator, the vulnerability is located in the “manage versions” functionality. The feature allows users to upload and manage various versions of a file. In other words, this could enable users to update an older version of a file with a new one with the same file extension. However, it turns out that the functionality also enables users to upload a new version with any file extension for any file in Google Drive. This includes a malicious executable, too.
Nikoci got in touch with TheHackerNews and shared with the team his discovery. The demo videos reveal that a legitimate version of the file that has already been shared with a group of users, can be replaced by a malicious file. Furthermore, the upload of the malicious file remains “silent”, as there is no indication of any changes. However, when downloaded, this file can be utilized in malware attacks. This also makes this vulnerability highly exploitable by spear phishing threat groups that utilize cloud services to deliver malware to their selected targets.
In December 2019, Google patched a dangerous vulnerability in Gmail which was related to an instance in which web browsers execute rich code, also known as “DOM Clobbering”. The problem stemmed from the dynamic HTML content loading scripts. The engine which is responsible for this is called AMP4Email — it allows the web browsers to load dynamic elements and rich formatting when the messages are being composed.
The vulnerability came from the fact that the AMP4Email contained a strong validator which used the mechanism of a whitelist to enable the specific type of content that could be passed to the email composer. If the users tried to insert an unauthorized HTML element, it could be discarded and an error message would be displayed.
The security analysis of AMP4Email revealed that threat actors could manipulate the code fields in order to carry out a cross-site scripting attack (XSS attack) and the loading of unauthorized and malicious objects that carry malware.