Here’s how the vulnerability would appear to someone who doesn’t know about it:
At step 3, the cracker now has your password – because step 3 wasn’t a google.com domain anymore, but any other website which the abuser controlled.
What happened here is that Google allows you to add a parameter when you link to Google Account login pages. This parameter describes the follow-up page the user should be automatically led to once they’ve successfully logged-in. Google is smart enough to only allow certain values for this parameter, but there’s a hole in this defense. After Marcel, I contacted Google security once more to give them some time before I’ll explain the specifics of this hole and how someone could abuse it.
What Marcel Richter, who’s no cracker, now did was to create a copy of the Google login page to be forwarded to. That means in above step 3, you’ve actually been forwarded to a non-Google page that however looks just like Google’s; only by checking the browser domain again would you notice your Google Account password is about to be stolen. If someone is able to steal your account, then they can:
The best advice, whether this vulnerability gets fixed or not, is to never log-in after following a link you see somewhere where you don’t know the site owner, or where you don’t know the sender of an email. And it’s even more safe to always enter the URL, like “https://mail.google.com”, manually (or to pick one of your bookmarks).
>> More posts