As usual I was reading the news on The Hacker New security portal when a post attracted my attention, another security issue related to an IT giant, Google. The Indian penetration tester Ansuman Samantaray discovered a security flaw in Google drive that exposes millions of Google users to threat of phishing attacks.
Too bad that Google has ignored the warning underestimating the risks and replying to the researcher that
“It is just a mare phishing attempt,not a bug in Google”
On December 20th Ansuman Samantaray reported JavaScript Script Execution vulnerability in Google Drive Files but Google Security Team rejected it the day after. The thesis exposed by the researcher is that the flaw could be exploited for phishing attack.
An attacker could exploit the mode Google Drive preview the documents in the browser, he may execute code contained is a doc files as HTML/JavaScript just by changing the value of a parameter called “export” in the URL.
Analyzing in detail the URL used to upload or create a file on Google Drive/Docs is possible to note the value “download” for the attribute “export” that alow user to download the document.
https://docs.google.com/uc?authuser=0&id=0B6mcoM7O55_jWXp2N2FvdHBVTTg&export=download
The Indian pentester demonstrated that if an attacker changes “export” parameter to “view“, the malicious code written in the document file created is executed by the browser.
https://docs.google.com/uc?authuser=0&id=0B6mcoM7O55_jWXp2N2FvdHBVTTg&export=view
The researcher at THN also provided proof of flaw, they uploaded a file on Google Drive and using the attribute value download.
https://docs.google.com/uc?authuser=0&id=0B6mcoM7O55_jZnZnV1ZEZThqaDA&export=download
meanwhile following there is the same link using view value for the export attribute.
https://docs.google.com/uc?authuser=0&id=0B6mcoM7O55_jZnZnV1ZEZThqaDA&export=view
The document contains a JavaScript code that displays a fake authentication box that request to the user to insert the password to re-authenticate him to the view of the document.
Once submitted the password the scripts intercept it in a log file and redirect the user to Google Drive homepage.
The hacker news Team revealed that Google Security Team in not new to similar error of evaluation of possible, last week another Google Drive Clickjacking Flaw was refused by Google, that later extends to phishing attack.
Pierluigi Paganini
(Security Affairs – Hacking)