Security News Google Login Page Bug Can Lead to Automatic Malware Download

[Exterminator]

British security researcher Aidan Woods discovered an issue on Google's login page that allows clever attackers to automatically download files on the user's computer when he presses the Sign In button.

The problem at the heart of this security issue is the fact that Google allows the "continue=[link]" as a parameter in the login page URL that tells the Google server where to redirect the user after authenticating.

Google has anticipated that this parameter might cause security issues, and has limited its usage only to google.com domains using the "*.google.com/*" rule, where * is a wildcard.

Attackers could host malware on Google Drive/Docs
Woods figured out that this meant that drive.google.com or docs.google.com links could be passed as valid "continue" parameters inside the login URL.

A clever attacker could upload malware to his Google Drive or Google Docs account, take the URL and hide it inside the official Google login link.

Users that would receive this link inside a spear-phishing email would most likely be tricked into thinking it's the real Google login URL.

When the user accesses this page and logs in, a file will be downloaded without user confirmation on the user's PC when the victim presses the Sign In button.

A cleverly named file such as "Login_Challenge.exe" or "Two-Factor-Authentication.exe" would trick less technical users into installing malware on their computers.

Google declined to fix the issue
Woods says that he attempted to notify Google's security team about the issue, but they closed all of his three bug reports he opened to let them know about the bug.

Below is a snippet from Google's final reply, but you can read the entire email exchange on Woods' blog.