Bug i Google Login Pages kan forårsage Malware download - Hvordan, Teknologi og pc-sikkerhed Forum | SensorsTechForum.com
CYBER NEWS

Bug i Google Login Pages kan forårsage Malware download

1 Star2 Stars3 Stars4 Stars5 Stars (Ingen stemmer endnu)
Loading ...

sårbarhed-stforum

Forestil der er en for tiden udnyttes fejl i Google. Godt, Sandheden er, at du ikke behøver at forestille mig det, fordi det allerede er der! Britiske sikkerhed forsker Aidan Woods bare oplyses et problem findes på Googles login-side. This issue enables attackers to automatically download files on the user’s computer. All they need to do is press the Sign In button, og voila! Ifølge forsker, Google has been notified of the issue but hasn’t done anything so far to mitigate. Because of Google’s response not to treat the issue as a bug, the researcher decided to make it public, in hopes that the company will take measures.


Google’s Faulty Login Pages Explained

The functionality of the login submit action can be poisoned, såsom:

  • An arbitrary step is appended to the end of the login procedure (f.eks. en “password incorrect, please try again” side, which steals credentials upon the user re-entering them)
  • An arbitrary file is sent to the user’s browser each time the login form is submitted, without unloading the login page
  • etc… vectors only limited by breadth of Google services that could be misused under the guise of a login step

The Vulnerability Depicted

Google’s login page accepts a vulnerable GET parameter, forskeren skriver. The faulty parameter goes through a basic check:

Must point to *.google.com/*

The application also fails to authenticate the Google service specified. Hvad betyder det? Any Google service can be inserted at the end of the login process, lignende:

  • Open Redirects     (pick one)
  • Arbitrary File Upload  (Google Drev)

Til sidst, malicious actors could host malware on Google Drive/ Google Docs. drive.google.com, docs.google.com could be passed as valid “continue” parameters within the login URL. Derefter, the attacker would be able to upload malware to their Google Drive or Google Docs account, and conceal it within the official Google login.

Derefter, these links could be sent out to users who would open them believing they are legitimate Google login URLs. Once the page is accessed an logged in, malicious files can be downloaded onto the victim’s system only by pressing the Sign In button.


What Did Google Sige?

Thanks for your bug report and research to keep our users secure! We’ve investigated your submission and made the decision not to track it as a security bug. This report will unfortunately not be accepted for our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our usersdata are in scope, and we feel the issue you mentioned does not meet that bar :(

Hvad synes du? Does the issue deserve Google’s attention?

Milena Dimitrova

En inspireret forfatter og indhold leder, der har været med SensorsTechForum for 4 år. Nyder ’Mr. Robot’og frygt’1984’. Fokuseret på brugernes privatliv og malware udvikling, hun tror stærkt på en verden, hvor cybersikkerhed spiller en central rolle. Hvis almindelig sund fornuft giver ingen mening, hun vil være der til at tage noter. Disse noter senere kan blive til artikler!

Flere indlæg

Efterlad en kommentar

Din e-mail-adresse vil ikke blive offentliggjort. Krævede felter er markeret *

Frist er opbrugt. Venligst genindlæse CAPTCHA.

Del på Facebook Del
Loading ...
Del på Twitter Tweet
Loading ...
Del på Google Plus Del
Loading ...
Del på Linkedin Del
Loading ...
Del på Digg Del
Del på Reddit Del
Loading ...
Del på Stumbleupon Del
Loading ...