Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Login Bug Allows Credential Theft (onthewire.io)

Posted by BeauHD on from the identity-crisis dept.

Trailrunner7 writes from a report via On the Wire: Attackers can add an arbitrary page to the end of a Google login flow that can steal users' credentials, or alternatively, send users an arbitrary file any time a login form is submitted, due to a bug in the login process. A researcher in the UK identified the vulnerability recently and notified Google of it, but Google officials said they don't consider it a security issue. The bug results from the fact that the Google login page will take a specific, weak GET parameter. Using this bug, an attacker could add an extra step to the end of the login flow that could steal a user's credentials. For example, the page could mimic an incorrect password dialog and ask the user to re-enter the password. [Aidan Woods, the researcher who discovered the bug,] said an attacker also could send an arbitrary file to the target's browser any time the login form is submitted. In an email interview, Woods said exploiting the bug is a simple matter. "Attacker would not need to intercept traffic to exploit -- they only need to get the user to click a link that they have crafted to exploit the bug in the continue parameter," Woods said. Google told Woods they don't consider this a security issue.

43 comments

  1. Get on the bandwagon! by Anonymous Coward · · Score: 0

    God! I LOVE a parade!

  2. A bug? by viperidaenz · · Score: 3, Interesting

    Isn't this by design?
    You visit a page, it checks a cookie value with the authentication server, if it's invalid you get redirected to the authentication server, with a parameter that allows you to be redirected back to where you first tried to go.
    When you're redirected back, the process starts again.

    This is how a lot of SSO systems work.

    The 'continue' parameter needs to accept every possible entry point to every website the SSO authentication server supports.

    1. Re:A bug? by ewanm89 · · Score: 1

      Well, there are a few other ways to communicate the parameter other than as a GET parameter (or POST). For example the server one is trying to sign into could send it direct to google via a side channel, that said, this only stops a MITM modifying the string in flight, not a bad server sending a bad string anyway, this is how paypal handles payment amounts for example.

    2. Re:A bug? by viperidaenz · · Score: 2

      That would require a shared session be maintained between the two servers.
      The way it is designed, the SSO server doesn't require any session state at all.

    3. Re:A bug? by Anonymous Coward · · Score: 0

      One login to rule them all is and always has been an idiotic idea.

  3. "Invalid" password by Anonymous Coward · · Score: 1

    Geez, especially considering how often address bars are hidden by default on mobile, I can really see this being a huge security risk, but how could Google even really protect against something like a fake invalid password prompt? A "you logged in sucessfully page"? Would an ordinary user know something was amiss if it wasn't there? I don't think I'd notice even. I guess DFA is really the only protection against this.

  4. How is this different than Facebook phishing? by Anonymous Coward · · Score: 2, Funny

    I always said Facebook has a flawed login system because any website could say,"Login with Facebook." And have a fake login/password prompt to steal credentials.

    Is this what this also is doing? Cuz I never type my password in anywhere except Google... Or pokemon... ;)

    Or is this a more automatic things? Visit the wrong website and you're compromised?

    1. Re:How is this different than Facebook phishing? by Gavagai80 · · Score: 1

      That's only an issue with "Login with Facebook" (or the "Login with Google" equivalent) for users who aren't already logged into Facebook(/Google). If they're logged in all the time like most people, there's never a login prompt so they may think twice when they see one. Likewise people should be extra skeptical when redirected to a failed login page for an openid-type login.

      --
      This space intentionally left blank
    2. Re:How is this different than Facebook phishing? by parkinglot777 · · Score: 1

      Likewise people should be extra skeptical when redirected to a failed login page for an openid-type login.

      You have too much faith in users... (-_-')

    3. Re:How is this different than Facebook phishing? by Anonymous Coward · · Score: 0

      +1

      I've seen a website with it's own username/password system and Google. Even without trying to deceive users some tried to login with their google email/account in site's own login form.

  5. You mean... by 110010001000 · · Score: 1

    ...I could construct a web page that looks like a Google login page, and then read the credentials typed in? Witchcraft!

    1. Re: You mean... by Anonymous Coward · · Score: 1

      No it's like you can make your site use Google to log in for your site. That sends the user to an actual Google login page. Then after they login your site mimics Google's invalid password page.

    2. Re: You mean... by 110010001000 · · Score: 1

      Uh yes. That is what I said. When you type your credentials again in the page it "steals" them. You don't even need to do the "use Google to login" part. Just write a fake Google login screen. WTF.

    3. Re: You mean... by sexconker · · Score: 1

      The difference here is people are idiots and are trained to accept logging into shit with Google for some reason.
      So even if they're smart and check that they're on google.com when they initiate the login, they're vulnerable if they don't check the URL again during the malicious step at the end.

  6. I don't see the bug either by Jumunquo · · Score: 5, Insightful

    The article basically says the steps to exploit this are:
    1) Get the user to visit your suspicious website/link.
    2) Get them to click on a login using Google link that sends them to google.com/continue?= (something like this)
    3) They enter their Google credentials
    4) It redirects them to your fake login page that says wrong password.
    5) They enter their Google credentials again, and you steal them.

    So, really, you could omit steps 2 & 3 and just send them straight to the fake login page. In the end, the only real problem is entering your login details on a non-Google domain. Paypal/Facebook/Steam/etc. all do the same thing.

    1. Re:I don't see the bug either by swillden · · Score: 4, Insightful

      Maybe. I think the issue (if any) lies here:

      2) Get them to click on a login using Google link that sends them to google.com/continue?= (something like this)

      The problem is that the Google login page will be totally legitimate. The lock icon will be green, certificate pinning will ensure all is safe/good, etc. So it's not completely unreasonable that a person who might have been suspicious (but not too suspicious to click the link) prior to this point would now decide "okay, this is legit", and continue onward... and not notice that on the fake login page they're no longer on a Google site.

      So, if it's a weakness, it's one that doesn't affect totally clueless users, who could have been directed to the fake login page to begin with, and it doesn't affect clueful/careful users who check their address bar at both the real and fake login pages and know how to tell the difference. It affects only somewhat careful users who check their address bar at the real login page and then figure they're safe from there on out. Well, it also has to be a user to is willing to click a Google login link from a random, untrusted site.

      So I agree it's very, very narrow. I'm not sure I agree it's not an issue. But I know the Google Security Team guys well (I work for Google, on security, though not this stuff), and they're extraordinarily paranoid (that's a good thing), so my guess is that there is some other mitigating factor that I'm not seeing, and they just haven't done a good job of communicating the rationale to the researcher, or have some reason they can't communicate it.

      I have asked on an internal mailing list. If the response is something I can share here, I will.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    2. Re:I don't see the bug either by Jumunquo · · Score: 1

      I would imagine the "Login using Google" at third-party sites wouldn't work w/o this:
      https://developers.google.com/...

      Google Wallet might not work too smoothly either What Paypal does is display a message that you're being redirected and waits a few seconds before redirect, and I've seen other sites do this too. Does Google do the same thing?

    3. Re:I don't see the bug either by 110010001000 · · Score: 1

      Um, its not a weakness at all. You can't prevent it. If someone types their credentials in a fake login page and submits it, well then that is how the web works.

    4. Re: I don't see the bug either by Anonymous Coward · · Score: 0

      That's why SAML and OAuth SSO should have never been a thing. Imah it a legitimate service using Google login. A hacker manages to hack the service and replaces the first page after the user is returned 1 out of 1000 times to present a fake failed login one (or blank screen where users reload), it collects the credentials and then passes off the users to the real application. The hacker lays low and collects in a month or two.

      All the SAML and OAuth is vulnerable

    5. Re:I don't see the bug either by swillden · · Score: 4, Informative

      I have asked on an internal mailing list. If the response is something I can share here, I will.

      The response is basically that it's not worth fixing because there are so many other ways to do the same thing, many of them arguably better (for the attacker). Fixing this would require redesign of lots of stuff... and it couldn't prevent any of the other attacks that achieve the same thing, so it would be a lot of effort for no return.

      An example of a similar/better attack: http://lcamtuf.coredump.cx/swi...

      In that demonstration the example banking site is not HTTPS-protected, but the attack would work just as well if it were. There are other ways as well, I'm told (I'm not a web security guy).

      My takeaway is that *every* time I type or submit sensitive data into a web page I must check the address bar. I actually do that anyway; this just reaffirms the importance of that habit.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    6. Re:I don't see the bug either by swillden · · Score: 1

      Um, its not a weakness at all. You can't prevent it. If someone types their credentials in a fake login page and submits it, well then that is how the web works.

      You didn't read the post you responded to.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    7. Re:I don't see the bug either by skoskav · · Score: 1

      Even a careful user does not necessarily check the address bar after every page request, especially if the new page still looks like the previous one.

      Our company had this exact phishing possibility in one of our product's authentication flow. The solution was to white-list the domain being returned to, as it had to be previously known by the system as either an identification provider or service provider.

    8. Re:I don't see the bug either by Anonymous Coward · · Score: 0

      You can prevent this. The attack here is to trick users into thinking that they are still on the Google servers.
      It can be trivially (but in an inconvenient way) prevented by showing a "you are logged in now and we are redirecting you now to a 3-rd party page, never enter your Google password there, click to confirm".
      A lot of forums do that, and I find it more of an annoyance than useful.
      But there might be an argument for a 1-second "logged in successfully" page at least.

    9. Re:I don't see the bug either by Anonymous Coward · · Score: 0

      I reported this bug to the Google Security Team in 2011, here is a quote from their reponse

      "In these instances, we believe the usability and security benefits of a well-implemented and carefully monitored URL redirector tend to outweigh the perceived risks."

      Joseph Foulds

    10. Re:I don't see the bug either by Junta · · Score: 1

      But then people would complain 'what if they had a slow internet and went to sip a cup of coffee or something' if the time is too short. The click-through idea seems viable enough. However I'm still skeptical that a user that would be vigilant about the address bar would suddenly stop being vigilant if the page clearly reloads. Either they are vigilant throughout or they would fall for a phishing page without ever touching google's servers.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    11. Re: I don't see the bug either by Anonymous Coward · · Score: 0

      This is why it's doubly sad Mozilla mostly discontinued their Persona system. Obsoleting passwords and using only browser integrated login (vendor neutral of course) is the only real solution.

    12. Re:I don't see the bug either by Carewolf · · Score: 1

      An example of a similar/better attack: http://lcamtuf.coredump.cx/swi...

      That says in my address bar:

        data:text/html;-peak.us/banking_interface/%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
        + more crap like that

      Not sure I would trust that URL

  7. SRP/Nonce puts an end to Phishing by aberglas · · Score: 1

    Whatever happened to the basic nonce? You know, the thing in every browser since Netscape that lets you type in a password but the password does not actually get sent to the server, just a hash of it and the password. Puts an end to this type of thing.

    An even better algorithm is SRP https://en.wikipedia.org/wiki/... which provides good security even on weak passwords. (Ordinary nonces can be brute forced off line, SRP cannot.)

    But no, the critical thing is a pretty user interface. And the browser/nonce interface has not been updated in decades. And it can be spoofed -- the nonce password needs to be entered in the URL bar.

    The whole basis of web security is that users always check the URL is exactly valid. Which was known to be bullshit from the beginning.

    This is a problem that could and should have been solved long ago. And actually, it was...

    1. Re:SRP/Nonce puts an end to Phishing by brantondaveperson · · Score: 2

      The nonce+hash algorithm exists to prevent eavesdropping on the network traffic. This problem is solved better by just using SSL traffic for everything, since nonce+hash has the disadvantage that since the server never sees the actual password, the only authentication process that can realistically be supported is a local password database.

      Plus, of course, phishing has nothing to do with either method. Phishing is just faking the login page, and sending the credentials elsewhere.

    2. Re:SRP/Nonce puts an end to Phishing by ewanm89 · · Score: 1

      You are talking challenge response authentication. The problem with that generally is that the shared secret (password ore hash of the password that is then used as the password so an attacker can just skip the hashing step in an attack) has to be stored in plain text on the server (obviously this means we have a major credential theft issue server side) as to be able to calculate the response, this is true for CRAM-MD5 (which is why it hasn't been updated from MD5), CHAP, OATH, DIGEST-MD5, and zero knowledge proofs like SRP.

      Now there is one challenge response algorithm that does not have this issue, known as SCRAM, however it is only supported in SASL at time of writing which means we can use it for POP3, IMAP and XMPP authentication, it also requires ca signed encryption certificates for the client.

      Finally, challenge-response authentication does not stop the attack they are suggesting or any other phishing attack as that is all this is really, only this one is phishing attack on the open redirect of the login process rather than directly.

    3. Re:SRP/Nonce puts an end to Phishing by mmogilvi · · Score: 1

      Properly implemented, SRP does not store the the secret on the server end. It only stores v=pow(g,x) mod N, where "x" is a secret needed on the client end (derived from the password), and can't be extracted from v without either using a brute-force algorithm (try all weak passwords), or solving the discrete logarithm problem. You may want to read https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol more carefully.

      I hadn't looked at SCRAM before, but from at a quick glance it looks like the only thing preventing an attacker from brute forcing weak passwords from nothing but a passively captured login session is an expensive-to-compute hash function (PBKDF2). It isn't as bad if SCRAM is wrapped in an SSL/TLS session with associated certificate, but if you really trust nothing has MITMed (i.e. incorrectly trusted certificate) or otherwise broken TLS (from the perspective of the client authenticating the server), then why not just send the password directly through the tunnel (from client to server), and avoid extra complexity?

      Note that capturing a login session is generally a much lower bar than obtaining the password database, and SRP does not allow brute forcing even trivially weak passwords from just a captured login exchange. (As long as there aren't any huge breakthroughs in quantum computing or other discrete logarithm algorithms.)

      All that said, you are correct that SRP or other low level single-connection authentication mechanisms do nothing for the cross-party authentication issue discussed in the article.

    4. Re:SRP/Nonce puts an end to Phishing by Anonymous Coward · · Score: 0

      Good to see someone else that knows SRP.

      It is actually a very dangerous algorithm, for if it were widely adopted it would kill off about half of the security industry.

    5. Re:SRP/Nonce puts an end to Phishing by Anonymous Coward · · Score: 0

      You completely miss the point, like most.

      If you have a secure SSL connection to thieves.ru and enter your bank password, they will have it. But the nonce (or better SRP) will prevent that.

      And very few people in real user land ever checks the URL in the browser. So PKI certificates are worthless.

    6. Re:SRP/Nonce puts an end to Phishing by Cederic · · Score: 1

      While your use of the term 'nonce' is correct English, it's probably worth checking other uses for the term in the UK if you're planning to speak to international audiences.

      You don't want to be labelled a nonce.

    7. Re:SRP/Nonce puts an end to Phishing by Maritz · · Score: 1

      And very few people in real user land ever checks the URL in the browser. So PKI certificates are worthless.

      So you've never seen one of these eh? Weird.

      --
      I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
    8. Re:SRP/Nonce puts an end to Phishing by Junta · · Score: 1

      Of course there is TOTP (which can use pretty much *any* compute device) and U2F (dongle required). Practically speaking, requiring one of these two neatly gets the Nonce behavior you desire (well, roughly, a phishing attack would get a token that would be valid for at least a short period of time).

      I agree SRP was a nice concept, but in practice, no one is interested.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    9. Re: SRP/Nonce puts an end to Phishing by Anonymous Coward · · Score: 0

      Nonce is a common programming term. It should mean the same in all languages when being applied to programming.

      I think the word you are looking for is "dunce". As in, you where a hat that says dunce on it.

    10. Re: SRP/Nonce puts an end to Phishing by Anonymous Coward · · Score: 0

      Wear***

      No lie, spell checker got rid of my wear and replaced it with where.

    11. Re:SRP/Nonce puts an end to Phishing by Anonymous Coward · · Score: 0

      That is nonsense.

      It only says that a cert is not valid, not that it points to a trustworthy site. There is nothing that stops thieves.ru getting a valid cert, and making their site look lik a bank, say.

      And if any of the 100s of CAs stuffs up, you won't even get that.

  8. Working for Google on security by raymorris · · Score: 1

    > I know the Google Security Team guys well (I work for Google, on security

    I've been working in internet security for 20 years, and of course Google stands out as possibly a very interesting place to work. You Googlers do some really neat stuff. I'd be interested to hear anything more you have to say about working for Google on security. Do you enjoy it? Any suggestions for someone who might end up working there sometime relatively soon?

    1. Re:Working for Google on security by swillden · · Score: 1

      Google is a great place to work. With regard to security, it's especially satisfying because (a) what you do matters, given the scope and scale of the company, and (b) the company really takes security seriously.

      I'd be happy to discuss this more deeply. Feel free to e-mail me.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  9. Reported in 2011 by Anonymous Coward · · Score: 0

    I rarely post on Slashdot so have to be AC but wanted to point out that I personally reported this security vulnerability to the Google Security Team in 2011 and was met with the exact same response.

    An exact quote from their email response:
    "In these instances, we believe the usability and security benefits of a well-implemented and carefully monitored URL redirector tend to outweigh the perceived risks."

    Joseph Foulds

  10. normal behaviour by Anonymous Coward · · Score: 0

    Well Google don't really care do they,as long as they get as much data as possible,they don't worry that other people can get access to the same data as well,Google are on3 of only a small number of organisations who can do anything useful with bulk personal data in that amount,they certainly don't care about individual users of their services,try making a complaint to Google's customer services,if you can find an email address or phone number to do so,even if you do,all they will do is ignore you,the only time they react is if it's the start of a legal action and it's from serious legal firms,I have made multiple complaints to Google over the years and have only ever recieved one auto reply,yet if you want to give them some money or owe them money,they are on your tail 24/7.
    What they meant years ago was not do no evil but don't get caught doing evil..
    Google = a long way of spelling shit..