Aug 1, 2007 | Category: Google Vulns
Marcel Richter found a phishing vulnerability with Gmail/ the Google Account login. He contacted Google Security in May but the hole persists, and Google doesn’t reply to him.
Here’s how the vulnerability would appear to someone who doesn’t know about it:
1. You are seeing a link to log-in to email. The link is correctly pointing to Google.com2. After clicking the link – you’re still on Google.com – you log-in (if you were already logged-in, you’d be skipping this step)
3. You’ll now receive a message that your password doesn’t match, so you’ll enter your credentials again
At step 3, the cracker now has your password – because step 3 wasn’t a google.com domain anymore, but any other website which the abuser controlled.
What happened here is that Google allows you to add a parameter when you link to Google Account login pages. This parameter describes the follow-up page the user should be automatically led to once they’ve successfully logged-in. Google is smart enough to only allow certain values for this parameter, but there’s a hole in this defense. After Marcel, I contacted Google security once more to give them some time before I’ll explain the specifics of this hole and how someone could abuse it.
What Marcel Richter, who’s no cracker, now did was to create a copy of the Google login page to be forwarded to. That means in above step 3, you’ve actually been forwarded to a non-Google page that however looks just like Google’s; only by checking the browser domain again would you notice your Google Account password is about to be stolen. If someone is able to steal your account, then they can:
* change your password to block you from logging in
* read all your emails (potentially containing more passwords)
* read your private Google Docs documents, and spreadsheets
* blog at your blog
* delete your Picasa pictures, and view your unlisted Picasa pics
The best advice, whether this vulnerability gets fixed or not, is to never log-in after following a link you see somewhere where you don’t know the site owner, or where you don’t know the sender of an email. And it’s even more safe to always enter the URL, like “https://mail.google.com”, manually (or to pick one of your bookmarks).
From: Google Blogoscoped