Google login pages aren’t safe at all, research finds

Google login page

Those comforting Google login pages might not be safe at all, according to a security researcher’s latest findings.

Taking a deeper look at Google’s service login pages, researcher Aidan Woods discovered that it’s “possible to seamlessly insert any Google service at the end of the login process”.

In short, this flaw allows dark lords of the web to insert additional parameters, websites or even Google Docs files into the URL of a login page. The website would be hidden aesthetically, instead showing a Google login page.

To use Woods’ much simpler explanation:

Using an existing open redirect, it is now possible to send a user to an arbitrary page after login. This opens up the following series of events:

User follows link -> user sees sign-in prompt -> user verifies domain to be legitimate Google login page -> user types their username -> page redirects -> user types their password -> page redirects -> sorry, incorrect password -> user re-types their password -> page redirects to Google service.

In the stage where a user is told their password is incorrect, they would have been unknowingly and seamlessly redirected to an attacker’s website while in the process of logging in to the legitimate

This could theoretically make it easier for hackers to steal users’ passwords, or upload malicious files to their Google Drive (and computer).

Google login pages can be exploited, leading to password theft and malicious file downloads

Woods has contacted Google too, but the company replied, stating that it “made the decision not to track it as a security bug”.

“This report will unfortunately not be accepted for our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users’ data are in scope, and we feel the issue you mentioned does not meet that bar :(,” Google adds in correspondence with Woods.

As for Woods response, he couldn’t “quite believe” it:

“I couldn’t quite believe that Google had both understood this issue, and simply shrugged it off. So I opened several reports to make sure understanding, or communicating the issue wasn’t the error here.”

So what does this mean?

For one, you should now be suspicious of even Google login pages, or practically any site with a baked-in Google login redirect.

Woods does give a few pointers to end users though:

  • Always check the URL – before entering credentials – including at each stage of the login process
  • Avoid login after clicking links that don’t come directly from Google – bad links could be anywhere: even Google search results
    An example use case would be behind the ruse of user protected content that requires sign-in (e.g. content on Google Drive)
  • If it looks like Google sent you a file at sign-in, don’t run it. Regardless of what it is named, you can’t trust it.

Additionally, be sure to read his full report along with the correspondence with Google here.

Andy Walker, former editor


Sign up to our newsletter to get the latest in digital insights. sign up

Welcome to Memeburn

Sign up to our newsletter to get the latest in digital insights.