Andrew Cantino, the vice president of engineering at Mavenlink, detailed his attack in a blogpost st week. According to him, the attack could be used by an attacker to target a particular person or organization. A cyber criminal could share a Google document with an email address, un-checking the option by which Google sends the recipient a notification.
TIMING ATTACK USED TO DE-MASK TOR USER’S IDENTITY
Now, using timing attack exploit technique, a cyber criminal could figure out when someone logged into any one of the shared addresses visits the their site, Cantino said. An attacker could even use this attack in spear phishing campaigns or even could unmask the identity of Tor users if they’re logged in to Google while using the Tor browser.
Timing attack can allow to unmask targeted Google users as they browse the web. Cantino said the attack is straightforward. For example, if I control a website and want to know when a particular user with a particular Gmail address visits my website, in this case, I could use the exploit technique to identify the identity of that targeted user, and that too without setting a cookie.
If the Google document is viewable by the visitor, it will take longer to load the resulting page than if the document is not viewable.
“Since the result isn’t an image, the onerror callback of the image is triggered in both cases, but we can record how long it takes from image instantiation to triggering of the onerror. This time will be greater when the document is accessible. In my experiments, loading took an average of 891ms when the document was available, but 573ms when it was not,” Cantino said.
In order to gain users’ trust and steal credentials, an attacker could even make use of a phishing page that looks just like it’s logged into the victim’s account. This type of targeting attack could also help to identify the Tor users, if they’re logged into their Google account.
For those who are not aware of Timing attack, Timing attack is a type of side channel attack where an attacker gains information from the implementation of a cryptosystem rather than from any inherent weakness in the mathematical properties of the system.
Timing attacks exploit the timing variations in cryptographic operations. Because of performance optimizations, computations performed by a cryptographic algorithm often take different amounts of time depending on the input and the value of the secret parameter.
ISSUE REPORTED TO GOOGLE - NO FIX
The issue was responsibly reported to Google Security team by Andrew Cantino, the vice president of engineering at Mavenlink. The search engine giant acknowledged the issue, but declined to fix it because the risk, both in terms of impact and difficulty of exploiting this against a large population, is low.
“I don't really disagree with them— this is hard to fix, and fairly theoretical,” said Cantino, who previously had been awarded a bug bounty from Google multiple times. “Still, I think this is an interesting example of a timing attack, and shows how hard these sorts of issues can be to avoid.”