A cyber security researcher has found that the Google login page can be used to steal important user login credentials including the passwords. What’s worst is that Google isn’t paying due heed to the subject.
Aidan Woods published a detailed blog post titled as “Google faulty login page“, in which he disclosed the exploitable security bug and highlighted his correspondence with Google. In the blog, he mentioned that he submitted the bug report to the Google security team but the response wasn’t quite encouraging.
Woods mentioned that the Google login page can be maltreated by adding a parameter “Continue”, such that it could redirect the user to any other URL starting with the Google domain name (google.com). In other words, a user can be tricked with an original Google login page before he is redirected to any other website. This flaw can be used to gather important personal information.
In a particular case, after the Google login page, a user can be spoofed to another Google looking page which could say ‘Incorrect Password’ and ask you for the retype. An open redirect patterned like https://www.google.com/amp/[any_domain_here] can be specified to redirect the user to the any_domain_here.
Although it is evident that the flaw can be socially engineered to prove very harmful, it failed to get any of the Google’s likings. Karshan, a Google employee, termed the flaw as of “very little practical risk”. After that Woods published the bug summary to get Google’s attention and warn the general public.
The flaw hasn’t been addressed yet and we recommend that you should check the URL before entering any login credentials. Users should also act cautiously before clicking on any links they deem non-verified.
You can read the detailed disclosure and correspondence here.