Stel je voor er is een moment exploiteerbare bug in Google. Goed, waarheid is dat je niet hoeft voor te stellen, want het is er al! Britse security-onderzoeker Aidan Woods net onthuld een probleem te vinden op Google's inlogpagina. This issue enables attackers to automatically download files on the user’s computer. All they need to do is press the Sign In button, en voila! Volgens de onderzoeker, Google has been notified of the issue but hasn’t done anything so far to mitigate. Because of Google’s response not to treat the issue as a bug, the researcher decided to make it public, in hopes that the company will take measures.
Google’s Faulty Login Pages Explained
The functionality of the login submit action can be poisoned, zoals:
- An arbitrary step is appended to the end of the login procedure (b.v.. een “password incorrect, please try again” pagina, which steals credentials upon the user re-entering them)
- An arbitrary file is sent to the user’s browser each time the login form is submitted, without unloading the login page
- Enz… vectors only limited by breadth of Google services that could be misused under the guise of a login step
The Vulnerability Depicted
Google’s login page accepts a vulnerable GET parameter, de onderzoeker schrijft. The faulty parameter goes through a basic check:
→Must point to *.google.com/*
The application also fails to authenticate the Google service specified. Wat betekent dit? Any Google service can be inserted at the end of the login process, zoals:
- Open Redirects (pick one)
- Arbitrary File Upload (Google Drive)
tenslotte, malicious actors could host malware on Google Drive/ Google Docs. drive.google.com, docs.google.com could be passed as valid “continue” parameters within the login URL. Dan, the attacker would be able to upload malware to their Google Drive or Google Docs account, and conceal it within the official Google login.
Dan, these links could be sent out to users who would open them believing they are legitimate Google login URLs. Once the page is accessed an logged in, malicious files can be downloaded onto the victim’s system only by pressing the Sign In button.
What Did Google Zeg?
Thanks for your bug report and research to keep our users secure! We’ve investigated your submission and made the decision not to track it as a security bug. This report will unfortunately not be accepted for our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users’ data are in scope, and we feel the issue you mentioned does not meet that bar :(
Wat denk je? Does the issue deserve Google’s attention?