Google declined to classify this as a security issue. British security researcher Aidan Woods discovered an issue on Google’s login page that allows clever attackers to automatically download files on the user’s computer when they press the Sign In button.
The problem at the heart of this security issue is the fact that Google allows the “continue=[link]” as a parameter in the login page URL that tells the Google server where to redirect the user after authenticating.
Google has anticipated that this parameter might cause security issues and has limited its usage only to google.com domains using the “*.google.com/*” rule, where * is a wildcard.
Attackers could host malware on Google Drive/Docs
Woods figured out this meant drive.google.com or docs.google.com links could be passed as valid “continue” parameters inside the login URL.
A clever attacker could upload malware to their Google Drive or Google Docs account, take the URL and hide it inside the official Google login link.
Users who would receive this link inside a spear-phishing email would most likely be tricked into thinking it’s the real Google login URL.
When the user accesses this page and logs in, a file will be downloaded without user confirmation on the victim’s PC when they press the Sign In button.
A cleverly named file such as “Login_Challenge.exe” or “Two-Factor-Authentication.exe” would trick less technical users into installing malware on their computers.
Google declined to fix the issue
Woods says that he attempted to notify Google’s security team of the issue, but they closed all of his three bug reports he opened to let them know about the bug.
Below is a snippet from Google’s final reply, but you can read the entire email exchange on Woods’ blog.
“ Thanks for your bug report and research to keep our users secure! We’ve investigated your submission and made the decision not to track it as a security bug. This report will unfortunately not be accepted for our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users’ data are in scope, and we feel the issue you mentioned does not meet that bar 🙁 ”