We hope you must have a reliable anti-malware installed in your computer because what we are about to inform you will leave you in shock. As we all know, Search giant Google is known for its better services and it has dominated the market.
We regularly use Google services like Gmail, Google Photos, Google Drive etc. But, what if I tell you that Google’s login page can allow hackers to automatically download files on your computer, once the victim presses the Sign in Button.
Aidan Woods, a British security researcher has found out vulnerability on Google’s login page that allows crafty hackers to download files automatically on the user’s computer when he clicks on the ‘Sign In’ button.
Any expert hacker can effortlessly upload malware and users who receive such links are most likely to be tricked into thinking it’s the real Google Login URL.
The problem at the heart of this security issue is the fact that Google allows the "continue=[link]" as a parameter in the login page URL that tells the Google server where to redirect the user after authenticating.
Google has restricted its usage only to google.com domains using the “*.google.com/*” rule, where * is a wildcard, as it has expected that this parameter may result in security concerns. Woods determined that this implied that drive.google.com or docs.google.com links could be approved as valid “continue” parameters inside the login URL.
This link would then be sent inside a spear-phishing email to the user that would fool him to think that it is the genuine Google login URL.
When the user accesses this page and logs in, a file will be downloaded without user confirmation on the victim's PC when they press the Sign In button.
A cleverly named file such as "Login_Challenge.exe" or "Two-Factor-Authentication.exe" would trick less technical users into installing malware on their computers.
Aidan Woods also reached Google’s security team to report about this bug reports but they closed all of them. It was the Google’s final reply
“Thanks for your bug report and research to keep our users secure! We’ve investigated your submission and made the decision not to track it as a security bug. This report will unfortunately not be accepted for our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users’ data are in scope, and we feel the issue you mentioned does not meet that bar ”
We regularly use Google services like Gmail, Google Photos, Google Drive etc. But, what if I tell you that Google’s login page can allow hackers to automatically download files on your computer, once the victim presses the Sign in Button.
Aidan Woods, a British security researcher has found out vulnerability on Google’s login page that allows crafty hackers to download files automatically on the user’s computer when he clicks on the ‘Sign In’ button.
Any expert hacker can effortlessly upload malware and users who receive such links are most likely to be tricked into thinking it’s the real Google Login URL.
The problem at the heart of this security issue is the fact that Google allows the "continue=[link]" as a parameter in the login page URL that tells the Google server where to redirect the user after authenticating.
Google has restricted its usage only to google.com domains using the “*.google.com/*” rule, where * is a wildcard, as it has expected that this parameter may result in security concerns. Woods determined that this implied that drive.google.com or docs.google.com links could be approved as valid “continue” parameters inside the login URL.
This link would then be sent inside a spear-phishing email to the user that would fool him to think that it is the genuine Google login URL.
When the user accesses this page and logs in, a file will be downloaded without user confirmation on the victim's PC when they press the Sign In button.
A cleverly named file such as "Login_Challenge.exe" or "Two-Factor-Authentication.exe" would trick less technical users into installing malware on their computers.
Aidan Woods also reached Google’s security team to report about this bug reports but they closed all of them. It was the Google’s final reply
“Thanks for your bug report and research to keep our users secure! We’ve investigated your submission and made the decision not to track it as a security bug. This report will unfortunately not be accepted for our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users’ data are in scope, and we feel the issue you mentioned does not meet that bar ”
Google’s Login Page Has a Bug! It Can Automatic Download Malware To Your Computer
Reviewed by Tech Ugly
on
Thursday, September 01, 2016
Rating:
Reviewed by Tech Ugly
on
Thursday, September 01, 2016
Rating:
No comments: