Attackers can add an arbitrary page to the end of a Google login flow that can steal users’ credentials. or alternatively, send users an arbitrary file any time a login form is submitted, due to a bug in the login process.
A researcher in the UK identified the vulnerability recently and notified Google of it, but Google officials said they don’t consider it a security issue. The bug results from the fact that the Google login page will take a specific, weak GET parameter.
“Google’s login page accepts a vulnerable GET parameter, namely ‘continue’. As far as I can determine, this parameter undergoes a basic check,” Aidan Woods, the researcher who discovered the bug, wrote in an explanation of the flaw.
The login page checks to ensure that the parameter points to *.google.com/*, but doesn’t determine which Google service the parameter is pointing to.
“The application fails to verify the type of Google service that has been specified. This means that is is possible to seamlessly insert any Google service at the end of the login process.”
Using this bug, an attacker could add an extra step to the end of the login flow that could steal a user’s credentials. For example, the page could mimic an incorrect password dialog and ask the user to re-enter the password. Woods said an attacker also could send an arbitrary file to the target’s browser any time the login form is submitted.
In an email to On the Wire, Woods said exploiting the bug is a simple matter.
“Attacker would not need to intercept traffic to exploit – they only need to get the user to click a link that they have crafted to exploit the bug in the continue parameter,” Woods said.
Woods opened three separate reports with Google about the vulnerability, but to no avail.
“I couldn’t quite believe that Google had both understood this issue, and simply shrugged it off. So I opened several reports to make sure understanding, or communicating the issue wasn’t the error here. In total, three reports were opened with Google; three reports were closed,” Woods said.
“Google needs to make sure the values they allow can’t be abused.”
In a message to Woods, Google representatives said they saw phishing as the only attack vector, and didn’t consider this a security problem.
“Thanks for your bug report and research to keep our users secure! We’ve investigated your submission and made the decision not to track it as a security bug,” the message said.
Woods said Google has a few options for addressing the vulnerability.
“The simplest action Google can take to address this would be to remove the redirect feature at login. If they want to retain that feature and also address this problem, they need to properly validate the contents of the parameter: Google needs to make sure the values they allow can’t be abused, and validate the allowed values are also safe themselves,” Woods said.