Ahead of the recent Google password leak, a new Timing exploit has been discovered which can be used to unmask the identities of Google users browsing the web. Just two days back a staggering 5 million Gmail passwords were leaked on a Russian bitcoin forum, resulting in many believing their security had been compromised.
Google however denied the validity of the data posted and claimed that the passwords posted were old and therefore useless. Well, a new vulnerability has been discovered in Google's document sharing service and Google drive which can be used to unmask the identities of users visiting the website of the attacker.
Security Researcher Andrew Cantino Discovers New Timing Vulnerability In Google Drive
According to Andrew Cantino, Vice President engineering at Mavenlink, the exploit discovered can have several repercussions. In order to exploit this vulnerability an attacker would have to share a document with one or more email addresses but uncheck the option which sends a notification. This gives the attacking site an option to know when someone logged into one of the email addresses the document has been shared with accesses the site.
While it might seem light at first, this can have several negative consequences. This attack can be used for spear phishing, targeted attacks on particular users such as government officials and can even be used to unmask the identities of Tor users if they use the browser while logged into gmail.
Mr. Cantino reported the issue to Google who acknowledged the issue but refused to fix it. This is due to the fact that according to Google the risk of exploiting this vulnerability to target a large population is low.