We regularly use Google services like Gmail, Google Photos, Google Drive etc. But, what if I tell you that Google’s login page can allow hackers to automatically download files on your computer, once the victim presses the Sign in Button. Aidan Woods, a British security researcher had found a vulnerability on Google’s login page that simply allows hackers to download files on user’s computer as soon as the victim clicks on “Sign in” button The problem occurs because Google allows “continue=[link]” parameter in every Google’s login page URL. The parameter simply tells Google server where to redirect the users after authenticating. However, Google has restricted the use of Parameter only to Google.com because Google anticipated that this parameter might cause security concerns. Aidan Woods also determined that drive.google.com or docs.google.com links can also be passed as valid “continue” parameters inside the login URL. Any expert hacker can effortlessly upload malware and users who receive such links are most likely to be tricked into thinking it’s the real Google Login URL. Aidan Woods also reached Google’s security team to report about this bug reports but they closed all of them. It was the Google’s final reply “Thanks for your bug report and research to keep our users secure! We’ve investigated your submission and made the decision not to track it as a security bug. This report will unfortunately not be accepted for our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users’ data are in scope, and we feel the issue you mentioned does not meet that bar ? ”
Δ
