Google Account Phishing Vulnerability

Tuesday, August 7, 2007

Google Account Phishing Vulnerability

Marcel Richter found a phishing vulnerability with Gmail/ the Google Account login. He contacted Google Security in May but the hole persists, and Google doesn’t reply to him.

Here’s how the vulnerability would appear to someone who doesn’t know about it:

You are seeing a link to log-in to email. The link is correctly pointing to Google.com
After clicking the link – you’re still on Google.com – you log-in (if you were already logged-in, you’d be skipping this step)
You’ll now receive a message that your password doesn’t match, so you’ll enter your credentials again

At step 3, the cracker now has your password – because step 3 wasn’t a google.com domain anymore, but any other website which the abuser controlled.

What happened here is that Google allows you to add a parameter when you link to Google Account login pages. This parameter describes the follow-up page the user should be automatically led to once they’ve successfully logged-in. Google is smart enough to only allow certain values for this parameter, but there’s a hole in this defense. After Marcel, I contacted Google security once more to give them some time before I’ll explain the specifics of this hole and how someone could abuse it.

What Marcel Richter, who’s no cracker, now did was to create a copy of the Google login page to be forwarded to. That means in above step 3, you’ve actually been forwarded to a non-Google page that however looks just like Google’s; only by checking the browser domain again would you notice your Google Account password is about to be stolen. If someone is able to steal your account, then they can:

change your password to block you from logging in
read all your emails (potentially containing more passwords)
read your private Google Docs documents, and spreadsheets
blog at your blog
delete your Picasa pictures, and view your unlisted Picasa pics
etc.

The best advice, whether this vulnerability gets fixed or not, is to never log-in after following a link you see somewhere where you don’t know the site owner, or where you don’t know the sender of an email. And it’s even more safe to always enter the URL, like “https://mail.google.com”, manually (or to pick one of your bookmarks).

[Thanks Marcel!]

Google Account Phishing V ... by Philipp Lenssen | Comments (14)

>> More posts

Blog | Forum more >> Archive | Feed | Google's blogs | About

This site unofficially covers Google™ and more with some rights reserved. Join our forum!