Google will point out the vulnerability of the login page Decided to leave it as "no problem"

ByDan Century

Security expert Aidan Woods discovered a vulnerability that could infect malware from Google's login page and reported it to Google's security team, but from Google, "Do not trace it as a security bug It was reported on Mr. Woods' blog that there was a reply saying "I decided on it."

Aidan Woods: Google's Faulty Login Pages
https://www.aidanwoods.com/blog/faulty-login-pages

Google will not fix login page flaw that can lead to malware download | ZDNet
http://www.zdnet.com/article/google-wont-fix-login-page-flaw-can-lead-to-malware-download/

Google refuses to patch faulty login page that can be used to serve up malware
http://www.neowin.net/news/google-refuses-to-patch-faulty-login-page-that-can-be-used-to-serve-up-malware

Mr. Woods found a vulnerability in Google's login page that allows you to redirect to another page after logging in to Google's apps and services. The page redirected is limited to the domain of "google.com", but if you set up malware in Google Drive, Google Docs, etc., you will be able to see Google, like "drive.google.com", "docs.google.com" You can display malware download page under subdomain of.

Mr. Woods claimed that if this vulnerability could be broken, he could download malware and steal Google's login information and reported a bug to Google's security team. Google that received this investigated this issue, but "Open RedirectorWe are dealing with the mechanism of the problem so there is no problem "to reply to Mr. Woods that no special measures will be taken. Mr. Woods was wondering whether to disclose the details in the presence of vulnerability as a security expert but thought that the response of Google was "not correctly recognizing the problem" and Google released the information again to cope with the problem It seems that we have made a blog publicly in hopes of doing it.


You can see the movies that reproduce the redirect from the login page from the following.

Google: Faulty Login Pages - YouTube


In the Google login page with the parameter "download Google Drive file" (export = download) in the URL, enter the Google Account login information and click "Login" ... ...


When login is completed, multiple files are automatically downloaded from Google Docs. Mr. Woods warns that if a malicious attacker could download malware like this in this way.