As usual I was reading the news on The Hacker New security portal when a post attracted my attention, another security issue related to an IT giant, Google. The Indian penetration tester Ansuman Samantaray discovered a security flaw in Google drive that exposes millions of Google users to threat of phishing attacks.
Too bad that Google has ignored the warning underestimating the risks and replying to the researcher that
“It is just a mare phishing attempt,not a bug in Google”
Analyzing in detail the URL used to upload or create a file on Google Drive/Docs is possible to note the value “download” for the attribute “export” that alow user to download the document.
The Indian pentester demonstrated that if an attacker changes “export” parameter to “view“, the malicious code written in the document file created is executed by the browser.
The researcher at THN also provided proof of flaw, they uploaded a file on Google Drive and using the attribute value download.
meanwhile following there is the same link using view value for the export attribute.
Once submitted the password the scripts intercept it in a log file and redirect the user to Google Drive homepage.
The hacker news Team revealed that Google Security Team in not new to similar error of evaluation of possible, last week another Google Drive Clickjacking Flaw was refused by Google, that later extends to phishing attack.
(Security Affairs – Hacking)