According to a recent finding by an independent UK based researcher Aidan Woods, Google login page is not very secure and allows attackers to steal users’ credentials. The attacker can also send an arbitrary file to the user’s browser each time the login form is submitted, without unloading the login page due to a bug in the login process.
The bug results from the fact that the Google login page will take a specific, weak GET parameter.
Google’s login page accepts a vulnerable GET parameter, namely ‘continue’. As far as I can determine, this parameter undergoes a basic check
Must point to *.google.com/*
The application fails to verify the type of Google service that has been specified. This means that it is possible to seamlessly insert any Google service at the end of the login process.
Aidan Woods further states that an attacker could easily change the parameter at the end of the login flow and insert any Google service at the end of the login process. An attacker could also make you download an arbitrary file from Google Drive any time the login form is submitted, provided public link sharing is enabled after uploading it to Google Drive.
Aidan Woods have notified Google about the vulnerability. However, Google responded that they did not consider it as a security issue and decided to do nothing. He even opened three separate reports with Google, in hope to convince the company about the severity of this vulnerability, but to no avail.
If I understand correctly the only attack scenario you have in mind is phishing, we invest in technologies to detect and alert users about phishing and abuse. Take a look at https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect. If you can come up with a convincing attack vector let me know.
Karshan – Google Security Team
Thanks for your bug report and research to keep our users secure! We’ve investigated your submission and made the decision not to track it as a security bug.
This report will unfortunately not be accepted for our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users’ data are in scope, and we feel the issue you mentioned does not meet that bar 🙁
Bummer, we know. Nevertheless, we’re looking forward to your next report! To maximize the chances of it being accepted, check out Bughunter University and learn some secrets of Google VRP.
As Google believes this is not a security threat, Aidan Woods has made the vulnerability public in hope of attracting Google’s attention and to educate users with possible preventive actions.
This one feels very strange writing, because the vulnerability detailed below is currently exploitable. Google has been notified of this vulnerability, yet they have chosen to do nothing.
Google: Thanks for your bug report and research to keep our users secure! We’ve investigated your submission and made the decision not to track it as a security bug.
In hope that public disclosure will encourage Google to do otherwise, here goes.
Woods have also given some preventive steps a user can take to avoid being a victim
- Always check the URL – before entering credentials – including at each stage of the login process
- Avoid login after clicking links that don’t come directly from Google – bad links could be anywhere: even Google search results. An example use case would be behind the ruse of user protected content that requires sign-in (e.g. content on Google Drive)
- If it looks like Google sent you a file at sign-in, don’t run it. Regardless of what it is named, you can’t trust it.
You can read more about this issue by visiting https://www.aidanwoods.com/blog/faulty-login-pages
