bodyType

customContents

entityId

entityUuid

articlePageQuery

filter

article

articleBaseAdvertisingInfoArticle

articleListArticle

articleSeoArticle

helpersCheckIsPostiesArticle

hooksArticleAcknowledgementGateOverlayArticle

hooksTrackPageViewArticle

hooksContentInterestArticle

articleLinkingDataContent

hooksAmpRedirectArticle

articleSchemaContent

liveArticle

advertZone

sentiment

contentLock

topics

types

sections

moreOnThisArticles

urlAlias

commentCount

authorLocations

authors

corrections

sponsorType

displaySlideShow

multimediaEmbed

printHeadline

seriesContainer

socialHeadline

headline

flag

firstTopic

glossary

flattenTypeIds

publishedDate

additionalInfoBoxes

quizIds

images

image

relatedLinks

relatedNewsletters

__typename

createdDate

sponsor

paywallTypes

pdfFiles

seriesReverseOrder

series

disableOffPlatformContent

published

updatedDate

summary

subHeadline

body

keywords

readingTime

customTimezone

liveContents

Business Insider

A security researcher found a problem in Google's own login page that could allow a hacker to easily steal people's passwords — and the company apparently isn't too worried about fixing it.
In a post published Saturday on his personal website, Aidan Woods writes of the find and some frustrating interactions he had with Google's security team, which told him they would not track it as a security bug.
"I hope that public disclosure will encourage Google to do otherwise," Woods wrote.
Here's what Woods figured out: Google's login page allows the insertion of an extra parameter called "continue" which can redirect a user to any URL, as long as it's one that starts with google.com.
So, for example, adding ?continue=http://www.google.com/amp/businessinsider.com onto the login URL would bring a person to a real Google login screen. Then after they enter their username and password, it would take them to the home page of Business Insider.
And that can be a very bad thing.
As Woods notes, an attacker can redirect someone to a Google form to gather personal information, or have them automatically download a malicious file uploaded to Google Drive. Or, in perhaps what would be the easiest use case, a hacker can redirect a user to a website they control that looks exactly like the Google login screen — with a message saying "password incorrect, please try again" — convincing the user to give up their password.
It's a classic phishing scheme that would basically use Google.com against the victim. Email phishing, where an attacker sends an email directing someone to download malicious files or click a link, is by far the most-used method cyber criminals employ these days.
That's because it's simple and very effective — and using a Google login page would make it even more so.
Woods shared emails with the company's security team, which downplayed the problem. A Google employee named Karshan sent the researcher to a Google website classifying such redirects as posing "very little practical risk" though it noted that a redirect classified as a URL whitelist bypass — which is what this is — can lead to "more serious flaws."
Business Insider confirmed the redirect issue still exists. Interestingly, another researcher who saw Woods post claimed he contacted the company back in late June, and was similarly rebuffed.
"I couldn't quite believe that Google had both understood this issue, and simply shrugged it off," Woods wrote.
A Google spokesperson declined to provide a statement to Business Insider.
However, the spokesperson did offer some background information, explaining that the company's security team understands the issue but doesn't really see eye to eye with Woods, as the redirect function can (and does) have legitimate uses for conveniently bringing a user from a login screen to somewhere else within Google.
For now, users should be cautious when being asked to re-enter their password. If asked to give your password or other personal information, double-check the URL and ensure it's still coming from google.com. If it's not, it's possible you're seeing this attack in action.
Woods created a video of how it works:

See Also:
Flaw in Facebook & Google Allows Phishing, Spam & More
Google Has A New Gadget To Keep Your Gmail Account Safe From Hackers
How Mark Zuckerberg Hacked Into Email Accounts Was Admittedly Pretty Cool
Click here to visit Business Insider


Bezos’ Washington Post scraps ad calling for Trump to ‘fire Elon Musk’ from print editions

From Thailand’s ‘Ghost Tower’ to Pyongyang’s ‘Hotel of Doom’: Asia’s abandoned skyscrapers

Brutal, ‘brave’ and unrelenting: the North Korean troops fighting Ukraine

Trump, Musk highlighted in Ben & Jerry’s suit against Unilever over social mission interference

Google's login page has a fault that hackers could use to trick you out of your password

Attackers can redirect people to a Google form to gather personal information, an automatic download of a malicious file uploaded to Google Drive, or a fake login screen. Photo: Thomson Reuters

Tech

Security researcher who found the fault says Google hasn't taken his warning seriously


Google

Cybersecurity

Articles imported from external feeds - eg Associated Press


Feed