Imagine there is a currently exploitable bug in Google. Well, truth is you don’t need to imagine it because it is already there! British security researcher Aidan Woods just disclosed an issue found on Google’s login page. This issue enables attackers to automatically download files on the user’s computer. All they need to do is press the Sign In button, and voila! According to the researcher, Google has been notified of the issue but hasn’t done anything so far to mitigate. Because of Google’s response not to treat the issue as a bug, the researcher decided to make it public, in hopes that the company will take measures.
Google’s Faulty Login Pages Explained
The functionality of the login submit action can be poisoned, such as:
- An arbitrary step is appended to the end of the login procedure (e.g. a “password incorrect, please try again” page, which steals credentials upon the user re-entering them)
- An arbitrary file is sent to the user’s browser each time the login form is submitted, without unloading the login page
- Etc… vectors only limited by breadth of Google services that could be misused under the guise of a login step
The Vulnerability Depicted
Google’s login page accepts a vulnerable GET parameter, the researcher writes. The faulty parameter goes through a basic check:
→Must point to *.google.com/*
The application also fails to authenticate the Google service specified. What does this mean? Any Google service can be inserted at the end of the login process, like:
- Open Redirects (pick one)
- Arbitrary File Upload (Google Drive)
Eventually, malicious actors could host malware on Google Drive/ Google Docs. drive.google.com, docs.google.com could be passed as valid “continue” parameters within the login URL. Then, the attacker would be able to upload malware to their Google Drive or Google Docs account, and conceal it within the official Google login.
Then, these links could be sent out to users who would open them believing they are legitimate Google login URLs. Once the page is accessed an logged in, malicious files can be downloaded onto the victim’s system only by pressing the Sign In button.
What Did Google Say?
Thanks for your bug report and research to keep our users secure! We’ve investigated your submission and made the decision not to track it as a security bug. This report will unfortunately not be accepted for our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users’ data are in scope, and we feel the issue you mentioned does not meet that bar :(
What do you think? Does the issue deserve Google’s attention?