Google login URL phish 'bug'


A chap called Aiden Woods has found a way to potentially phish people for their Google login information.

First, create a Google Form that asks the user to confirm their personal details such as their social security number, date of birth and password, then publicly share that form. Next, send a link to your victim that contains something like...

https://accounts.google.com/ServiceLogin?continue=https://www.google.com/#identifier

...but replace the...

continue=https://www.google.com

...part with...

continue=https://docs.google.com/forms/shared/evil/form

When your mark visits that URL, they'll be prompted to login by Google, and after they do, they will be forwarded to the URL defined by the continue parameter. Because it's a *.google.com URL, the login system accepts it and redirects the browser to your malicious form.

At that point, your gullible victim thinks, because they just logged in, they're now facing a legit Google page asking them for personal information, which they may hand over and submit to your account via the customized form.

Youtube Video

Woods thinks this is pretty bad. Google disagrees, and thinks it's unconvincing because it'll be obvious to people that they've been taken to a shared form and not an official Google page.

Also, as Woods points out, you can change the continue parameter to...

https://docs.google.com/uc?id=[file_id_here]&export=download

...and make someone automatically download a malware-infected executable from your shared Google Drive after they log in. If the victim is loose enough to open this file, well, it's game over for them.

In any case, as always, stay vigilant of dodgy-looking links. ®


Biting the hand that feeds IT © 1998–2021