Once again Google Security Team Shoot itself in the foot. Ansuman Samantaray, an Indian penetration tester discovered a small, but creative Security flaw in Google drive that poses phishing threat to million of Google users was ignored by Google Security team by replying that,"It is just a mare phishing attempt,not a bug in Google".
According to Ansuman, he reported a JavaScript Script Execution vulnerability in Google Drive Files on 20th December 2012 to Google Security Team and but Google rejected the report on 21st December.
Ability to execute malicious script through Google drive files poses security threats, not just phishing attack, but an attacker able to extends the attack to malware spreading, etc.
The flaw exist in the way Google Drive preview the documents in the browser. Online preview of the files executing code written in doc files as HTML/JavaScript just by changing the value of a parameter called "export" in the URL.
ie. https://docs.google.com/uc?authuser=0&id=0B6mcoM7O55_jWXp2N2FvdHBVTTg&export=download .
When a Google user upload or create a file on Google Drive/Docs, then URL to that file having 'export' equals to "download" by default. So that user can download it.
But Ansuman found that if an attacker change this "export" parameter to "view", the malicious code written in the document file created by attacker will execute the code on browser.
ie. https://docs.google.com/uc?authuser=0&id=0B6mcoM7O55_jWXp2N2FvdHBVTTg&export=view
"Any internet user can enter malicious scripts in the application which when sent as an email to a victim user can steal user's information. Such attacks can be used to launch devastating XSS based attacks." he said to 'The Hacker News'
For Demonstration purpose we have uploaded a file on Google Drive @ Here (with download value) and Here (with view). A simple JavaScript code is written to Prompt Fake password login option to Re-authenticated user to view the Document, as shown above:
If successful, a remote file will log victim's password (here) and redirect to Google Drive homepage.
If successful, a remote file will log victim's password (here) and redirect to Google Drive homepage.
This is now the First time, Google security team failed to analyse the possible threat level. Last week, another Google Drive Clickjacking Flaw was refused by Google, that later extends to phishing attack.