Google Declines to Fix Login Page Bug That Could Lead to Malware Download
Protection against unclassified malware download is considered a norm when it comes to the tech's biggest names. That's apparently not true. Aidan Woods has discovered a URL whitelist bypass vulnerability on the Google login page that hackers can use to redirect users to arbitrary pages. This unpatched vulnerability can also trick users into downloading malicious code, researcher claims.
Google login page can lead to automatic malware download
Google's login page allows attackers to automatically download files on the user's computer, the security researcher has claimed. The problem occurs because Google allows a vulnerable GET parameter "continue=[link]" in the login page URL. This tells the Google server where to redirect users after authenticating. While Google has limited its usage only to Google.com due to anticipated security issues, researcher says that Google does not verify the type of service that has been specified.
Woods has explained several possible scenarios in a detailed blog post. A user could be told that the password he entered in the login page is incorrect and is asked to type it again. They "would have been unknowingly and seamlessly redirected to an attacker's website while in the process of logging in to the legitimate google.com." Now, the target user would be serving the password to the attacker instead of Google.
As the continue parameter accepts Google domains as a value, attackers could also leverage them to have malware downloaded on users' computers. By using drive.google.com or docs.google.com, an attacker could easily upload files. Since it would look like a real Google login URL, users receiving the spear-phishing emails would easily be tricked into downloading malware.
Google declines to classify it as a security issue
Woods has said that he was able to specify both .html and .exe files and browser downloaded them without leaving the login page. He has notified the Google's security team about this URL whitelist bypass vulnerability. However, Google has declined to classify it as a security issue and closed off all three of his bug reports. Woods has now shared the details of the vulnerability "in hope that public disclosure will encourage Google to do otherwise."
Thanks for your bug report and research to keep our users secure! We've investigated your submission and made the decision not to track it as a security bug. This report will unfortunately not be accepted for our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users' data are in scope, and we feel the issue you mentioned does not meet that bar 🙁