This vulnerability’s main problem lies in the fact that Google lets the “continue=[link]” as a parameter in the login page URL that conveys the Google server where to redirect the user after it has been authorized. Google has restricted its usage only to google.com domains using the “.google.com/” rule, where * is a wildcard, as it has expected that this parameter may result in security concerns. Woods determined that this implied that drive.google.com or docs.google.com links could be approved as valid “continue” parameters inside the login URL. A crafty hacker could upload malware to his Google Docs or Google Drive account, take the URL and hide it inside the official Google login link. This link would then be sent inside a spear-phishing email to the user that would fool him to think that it is the genuine Google login URL. When this page is accessed by the user and logs in, a file will be downloaded without confirmation from the user on the user’s PC when the victim presses the ‘Sign In’ button. A smartly named file such as “Login_Challenge.exe” or “Two-Factor-Authentication.exe” would fool less technical users into installing malware on their computers. Woods says that he tried to make Google’s security team aware about the issue by opening three bug reports, but they closed all of them. Given below is just a snippet from Google’s final reply. However, you can read the complete email exchange on Woods’ blog. “Thanks for your bug report and research to keep our users secure! We’ve investigated your submission and made the decision not to track it as a security bug. This report will unfortunately not be accepted for our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users’ data are in scope, and we feel the issue you mentioned does not meet that bar 🙁 ”
Source: Softpedia