A security researcher who hunts bugs for a living says that Google won’t acknowledge one of his findings. According to Aidan Woods, the way Google’s login pages are built would help an attacker either steal login information from unsuspecting users or convince them to install files which would appear to be downloading directly from Google.
DON’T MISS: Is the iPhone 7 going after DSLRs?
The tech giant told Woods that the issues do not qualify as bugs (and, therefore, for a payout) under its bug bounty program, so Woods went public with the information, hoping the issue would get the appropriate attention.
On his blog, Woods explains how an attacker could redirect a Google user to fake Google login page where the user could enter his or her credentials believing it’s the real thing.
One other attack would be to deliver a malware payload that would download to a user’s computer without the Google service page on the screen changing to suggest an action has been taken. The download could be malware that the user could install thinking it’s coming from Google.
Because of the way Google’s domain is built, an attacker could redirect users to Google.com properties where it’s relatively easy to upload files that could then be used for malware attacks. At least that’s how Woods described the entire thing.
Google, meanwhile, thinks this isn’t a vulnerability that hackers can use. A full email exchange between Woods and Google, as well as his elaborate explanation, is available at this link.
