A security researcher found a problem in Google's own login page that could allow a hacker to easily steal people's passwords ― and the company apparently isn't too worried about fixing it.
In a post published Saturday on his personal website , Aidan Woods writes of thefind and some frustrating interactions he had with Google's security team, whichtold him theywould not track it as a security bug.
"Ihope that public disclosure will encourage Google to do otherwise," Woods wrote.
Here's what Woods figured out: Google's login page allows the insertion of an extra parameter called "continue" which canredirect a user to anyURL, as long as it's one that starts with google.com.
So, for example,adding ?continue=http://www.google.com/amp/businessinsider.com onto the login URLwould bring a person to a realGoogle login screen. Then afterthey enter their username and password, it would take them to the home page of Business Insider.
Andthat can be a very bad thing.
As Woods notes, an attacker can redirect someone to a Google form to gather personal information, or have them automatically download a malicious file uploaded toGoogle Drive. Or,in perhaps what would be the easiestuse case, a hacker can redirect a user to a website they control that looks exactly like the Google login screen ― with a message saying "password incorrect, please try again" ― convincing the user to give up their password.
It's a classic phishing scheme that would basically useGoogle.com against the victim. Email phishing, where an attacker sends an email directing someone to download malicious files or click a link, is by far the most-used method cyber criminalsemploy these days.
That's because it's simple and very effective ― and using a Google login page would makeit even more so.
Woods shared emails with the company's security team, which downplayed the problem. A Google employee named Karshan sent the researcher to a Google website classifying such redirects as posing "very little practical risk" though it noted that a redirect classified as a URL whitelist bypass ― which is what this is ― can lead to "more serious flaws."
Business Insider confirmed theredirect issue still exists. Interestingly, another researcher who saw Woods post claimed he contacted the company back in late June, and was similarly rebuffed.
"I couldn't quite believe that Google had both understood this issue, and simply shrugged it off," Woods wrote.
Googledeclined to provide a statement to Business Insider.
For now, usersshould be cautious when being asked to re-enter their password. If asked to give yourpassword or other personal information, double-check the URL and ensure it's still coming from google.com. If it's not, it's possible you're seeing this attack in action.
Woods created a video of how it works: