Forestil der er en for tiden udnyttes fejl i Google. Godt, Sandheden er, at du ikke behøver at forestille mig det, fordi det allerede er der! Britiske sikkerhed forsker Aidan Woods bare oplyses et problem findes på Googles login-side. This issue enables attackers to automatically download files on the user’s computer. All they need to do is press the Sign In button, og voila! Ifølge forsker, Google has been notified of the issue but hasn’t done anything so far to mitigate. Because of Google’s response not to treat the issue as a bug, the researcher decided to make it public, in hopes that the company will take measures.
Google’s Faulty Login Pages Explained
The functionality of the login submit action can be poisoned, såsom:
- An arbitrary step is appended to the end of the login procedure (f.eks. en “password incorrect, please try again” side, which steals credentials upon the user re-entering them)
- An arbitrary file is sent to the user’s browser each time the login form is submitted, without unloading the login page
- etc… vectors only limited by breadth of Google services that could be misused under the guise of a login step
The Vulnerability Depicted
Google’s login page accepts a vulnerable GET parameter, forskeren skriver. The faulty parameter goes through a basic check:
→Must point to *.google.com/*
The application also fails to authenticate the Google service specified. Hvad betyder det? Any Google service can be inserted at the end of the login process, lignende:
- Open Redirects (pick one)
- Arbitrary File Upload (Google Drev)
Til sidst, malicious actors could host malware on Google Drive/ Google Docs. drive.google.com, docs.google.com could be passed as valid “continue” parameters within the login URL. Derefter, the attacker would be able to upload malware to their Google Drive or Google Docs account, and conceal it within the official Google login.
Derefter, these links could be sent out to users who would open them believing they are legitimate Google login URLs. Once the page is accessed an logged in, malicious files can be downloaded onto the victim’s system only by pressing the Sign In button.
What Did Google Sige?
Thanks for your bug report and research to keep our users secure! We’ve investigated your submission and made the decision not to track it as a security bug. This report will unfortunately not be accepted for our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users’ data are in scope, and we feel the issue you mentioned does not meet that bar :(
Hvad synes du? Does the issue deserve Google’s attention?