Google Login Bug Allows Credential Theft

Trailrunner7 writes from a report via On the Wire: Attackers can add an arbitrary page to the end of a Google login flow that can steal users' credentials, or alternatively, send users an arbitrary file any time a login form is submitted, due to a bug in the login process. A researcher in the UK identified the vulnerability recently and notified Google of it, but Google officials said they don't consider it a security issue. The bug results from the fact that the Google login page will take a specific, weak GET parameter. Using this bug, an attacker could add an extra step to the end of the login flow that could steal a user's credentials. For example, the page could mimic an incorrect password dialog and ask the user to re-enter the password. [Aidan Woods, the researcher who discovered the bug,] said an attacker also could send an arbitrary file to the target's browser any time the login form is submitted. In an email interview, Woods said exploiting the bug is a simple matter. "Attacker would not need to intercept traffic to exploit -- they only need to get the user to click a link that they have crafted to exploit the bug in the continue parameter," Woods said. Google told Woods they don't consider this a security issue.

Re:I don't see the bug either

[swillden]

I have asked on an internal mailing list. If the response is something I can share here, I will.

The response is basically that it's not worth fixing because there are so many other ways to do the same thing, many of them arguably better (for the attacker). Fixing this would require redesign of lots of stuff... and it couldn't prevent any of the other attacks that achieve the same thing, so it would be a lot of effort for no return.

An example of a similar/better attack: http://lcamtuf.coredump.cx/swi...

In that demonstration the example banking site is not HTTPS-protected, but the attack would work just as well if it were. There are other ways as well, I'm told (I'm not a web security guy).

My takeaway is that *every* time I type or submit sensitive data into a web page I must check the address bar. I actually do that anyway; this just reaffirms the importance of that habit.