CATEGORIES
home News

Google Ignores Potentially Dangerous Login Redirect Exploit Says Researcher

by Paul LillyWednesday, August 31, 2016, 09:27 AM EDT
Google

Here's a reminder to always check the URL of a website before entering in your login details, folks. That bit of safe computing advice applies to all online services, both big and small. Lest anyone doubt that, security researcher Aiden Woods recently notified Google of a potential security flaw in the way it handles user logins that, if exploited, could allow an attacker to steal the user's login credentials and/or distribute malware. Google has chosen not to address it.

When you login into a Google service such as Gmail, the login page accepts what Woods says is a "vulnerable GET parameter." Woods posits that by amending the login link, someone up to no good could trick users into thinking they entered in the wrong username and password combination and steal both upon re-entering, and/or send an arbitrary file to the user's browser each time the login form is submitted.

"Google's login page accepts a vulnerable GET parameter, namely 'continue'. As far as I can determine, this parameter undergoes a basic check: Must point to *.google.com/* The application fails to verify the type of Google service that has been specified. This means that is is possible to seamlessly insert any Google service at the end of the login process," Woods says.


Woods notified Google of his finding but chose not to do anything about it. From Google's vantage point, phishing would be the only way to exploit the vulnerability, and it already has precautions in place to protect users from phishing.

"If I understand correctly the only attack scenario you have in mind is phishing, we invest in technologies to detect and alert users about phishing and abuse. Take a look at https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect. If you can come up with a convincing attack vector let me know," a member of Google's security team told Woods.

Woods isn't happy with Google's dismissal, especially since the search giant seems to understand the technical issue (it's not a matter of him not getting his point across). Nevertheless, Google simply feels the issue "does not meet the bar" to be tracked as a security bug.
Tags:  Google, security, (nasdaq:goog)
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment