Click to Skip Ad
Closing in...

Google won’t own up to a major security flaw, researcher says

August 31st, 2016 at 8:00 PM
Google Login Malware Vulnerability

A security researcher who hunts bugs for a living says that Google won’t acknowledge one of his findings. According to Aidan Woods, the way Google’s login pages are built would help an attacker either steal login information from unsuspecting users or convince them to install files which would appear to be downloading directly from Google.

DON’T MISS: Is the iPhone 7 going after DSLRs?

The tech giant told Woods that the issues do not qualify as bugs (and, therefore, for a payout) under its bug bounty program, so Woods went public with the information, hoping the issue would get the appropriate attention.

On his blog, Woods explains how an attacker could redirect a Google user to fake Google login page where the user could enter his or her credentials believing it’s the real thing.

One other attack would be to deliver a malware payload that would download to a user’s computer without the Google service page on the screen changing to suggest an action has been taken. The download could be malware that the user could install thinking it’s coming from Google.

Because of the way Google’s domain is built, an attacker could redirect users to properties where it’s relatively easy to upload files that could then be used for malware attacks. At least that’s how Woods described the entire thing.

Google, meanwhile, thinks this isn’t a vulnerability that hackers can use. A full email exchange between Woods and Google, as well as his elaborate explanation, is available at this link.

Chris Smith started writing about gadgets as a hobby, and before he knew it he was sharing his views on tech stuff with readers around the world. Whenever he's not writing about gadgets he miserably fails to stay away from them, although he desperately tries. But that's not necessarily a bad thing.

Popular News