Here's a reminder to always check the URL of a website before entering in your login details, folks. That bit of safe computing advice applies to all online services, both big and small. Lest anyone doubt that, security researcher Aiden Woods recently notified Google of a potential security flaw in the way it handles user logins that, if exploited, could allow an attacker to steal the user's login credentials and/or distribute malware. Google has chosen not to address it.
When you login into a Google service such as Gmail, the login page accepts what Woods says is a "vulnerable GET parameter." Woods posits that by amending the login link, someone up to no good could trick users into thinking they entered in the wrong username and password combination and steal both upon re-entering, and/or send an arbitrary file to the user's browser each time the login form is submitted.
"Google's login page accepts a vulnerable GET parameter, namely 'continue'. As far as I can determine, this parameter undergoes a basic check: Must point to *.google.com/* The application fails to verify the type of Google service that has been specified. This means that is is possible to seamlessly insert any Google service at the end of the login process," Woods says.
Woods notified Google of his finding but chose not to do anything about it. From Google's vantage point, phishing would be the only way to exploit the vulnerability, and it already has precautions in place to protect users from phishing.
"If I understand correctly the only attack scenario you have in mind is phishing, we invest in technologies to detect and alert users about phishing and abuse. Take a look at https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect. If you can come up with a convincing attack vector let me know," a member of Google's security team told Woods.
Woods isn't happy with Google's dismissal, especially since the search giant seems to understand the technical issue (it's not a matter of him not getting his point across). Nevertheless, Google simply feels the issue "does not meet the bar" to be tracked as a security bug.