Those comforting Google login pages might not be safe at all, according to a security researcher’s latest findings.
Taking a deeper look at Google’s service login pages, researcher Aidan Woods discovered that it’s “possible to seamlessly insert any Google service at the end of the login process”.
In short, this flaw allows dark lords of the web to insert additional parameters, websites or even Google Docs files into the URL of a login page. The website would be hidden aesthetically, instead showing a Google login page.
To use Woods’ much simpler explanation:
Using an existing open redirect, it is now possible to send a user to an arbitrary page after login. This opens up the following series of events:
User follows link -> user sees sign-in prompt -> user verifies domain to be legitimate Google login page -> user types their username -> page redirects -> user types their password -> page redirects -> sorry, incorrect password -> user re-types their password -> page redirects to Google service.
In the stage where a user is told their password is incorrect, they would have been unknowingly and seamlessly redirected to an attacker’s website while in the process of logging in to the legitimate google.com.
This could theoretically make it easier for hackers to steal users’ passwords, or upload malicious files to their Google Drive (and computer).
Google login pages can be exploited, leading to password theft and malicious file downloads
Woods has contacted Google too, but the company replied, stating that it “made the decision not to track it as a security bug”.
“This report will unfortunately not be accepted for our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users’ data are in scope, and we feel the issue you mentioned does not meet that bar :(,” Google adds in correspondence with Woods.
— David Bisson (@DMBisson) August 30, 2016
As for Woods response, he couldn’t “quite believe” it:
“I couldn’t quite believe that Google had both understood this issue, and simply shrugged it off. So I opened several reports to make sure understanding, or communicating the issue wasn’t the error here.”
For one, you should now be suspicious of even Google login pages, or practically any site with a baked-in Google login redirect.
Woods does give a few pointers to end users though:
Additionally, be sure to read his full report along with the correspondence with Google here.