A fault in the Google login page was recently discovered which could allow hackers to steal users’ login data from the login page. Apparently, Google is not even slightly worried about fixing the problem. Aidan Woods, the security researcher who made the discovery, wrote on his personal blog that when he discovered the bug, he tried to relay it to the Google security team but he had some frustrating conversations with them.
He wrote that the group told him that they were not going to track the bug as a security bug. He also wrote that he hoped through public disclosure, the group would be forced into action.
Woods discovered that the Google login page could steal users’ data through dubious methods. He discovered that on the Google login page, there is an extra parameter named the ‘continue’ option. This parameter makes a user go on to any other website as long as it has google.com on it. Woods noted that cyber attackers can then take advantage of this and redirect users to different sites disguised as Google forms and then collect personal data from the unsuspecting users.
Cuber attackers can also make users download suspicious files onto their devices which can be downloaded through the Google Drive platform. Hackers can also use phishing methods such as luring users to a website made up to look as Google website where they are told their password is incorrect and therefore have to give up their password.
The methods mentioned are classic phishing methods that make use of the Google login page. It also ranks high with email phishing, a method whereby an unsuspecting victim is sent a link to their email and they have to click to see what’s on it. Phishing is one of the most used attacking methods because it is relatively easy to do, and using something as easily accessible as the Google login page is a coup for the attackers.
Woods shared the correspondence he had with the Google security team and it clearly showed that the group underplayed the problem. One Google employee simply named as Karshan referred Woods to a website which actually classifies the problem Woods highlighted as nothing and it only posed a small and minimal risk. However, the same website also indicated that these kind of bugs could lead to even more serious flaws.
One Google spokesperson said that just as several account based services, the company had also put the redirect links so as to provide a simple sign-in experience for its users. This would in turn avoid unnecessary friction for the users across several sites. In Google’s case, users could go to an external login page and they can use the Google sign in credentials, get into the account they want and later they would be redirected back to the page they were on at first. The spokesperson also reiterated that the company was always looking after its user’s security by inputting measures such two factor authentication system, Safe Browsing and so much more.
However after all is said and done, users should continue to take safety measures of their own and should be caution when they are putting their log in credentials. When asked for login details repeatedly after a redirect, check to see the URL if it’s still from google.com and if not, then it’s probably an attack.