A software bug hunter recently revealed a method where an attacker could either steal Google login credentials or plant malware files that appear to be coming from an authentic Google page.
Google responded by advising him that his findings do not qualify as bugs and they have made the decision not to track his submissions as vulnerabilities.
Aidan Woods, the security researcher who submitted the findings, details in his blog post how an attacker can poison a Google login page by appending a step at the login procedure, which could then redirect a user to a fake login page.
He also demonstrated how malware can be delivered using the same method. An attacker could send malicious files each time the login form is submitted and this could trick a user into installing them since they appear to be coming from the Google login page itself.
Woods claims that the vulnerability lies on the GET parameter of Google's login page. He says it is possible to insert any Google service at the end of the login process, which includes open redirects to any webpage and file uploads via Google Drive.
Google replied that Woods' findings are not convincing enough. The only attack scenario possible with Woods' method is phishing and the search giant has safeguards that detect and alert users about phishing and abuse.
Woods insists that the vulnerabilities he found are currently exploitable and he hopes that his public disclosure will encourage Google to do something about it.
To read more about Woods' findings and his email exchange with Google, check out his blog page.
As preventative measures, here are his recommendations:
- Always check the URL of each stage of the login process.
- Avoid logging in after clicking links that are not coming directly from Google.
- If it appears that a Google page sent a file upon logging in, users shouldn't run it.