UPDATED 2:45 p.m. EDT Wednesday with a statement from Google.
Two different security researchers recently pointed out an odd but potentially disastrous flaw in Google's login system, yet both researchers report that Google won't fix it, claiming that the flaw is not nearly as dangerous as it appears. If the vulnerability is left untreated, a whole lot of users could find their information phished in short order.
Aidan Woods, a security analyst at British supermarket chain Sainsbury's, covered the flaw on his personal blog, in which he also detailed his correspondence with Google over it. Another researcher, Evangelos Mourikis, saw Woods' blog posting and said he'd found the same flaw earlier this summer, and had also contacted Google to no avail.
The flaw is not that easy to explain — even with the videos that Woods and Mourikis made demonstrating it — but it's potentially much worse than Google thinks it is. Both Woods and Mourikis showed how to redirect users from the Google login page to non-Google sites, but in different ways.
Essentially, all of Google's services, from Gmail to Maps to Docs, are linked via your Google login information using a web process known as an open redirector. Once you're logged into one Google site, you can usually jump to another without having to reenter your information.
This redirecting process is generally quite safe. Google makes sure that redirects can be only to sites within its own "google.com" domain; you (and your login info) theoretically can't make the jump to a page outside of Google.
However, Google may have made the open-redirect process a bit too open. It built two wild-card characters into the parameter check that controls the process, making sure that only "*.google.com/*" is acceptable.
Those two asterisks mean that any text in those two positions will be accepted as legitimate. That's great when redirecting to "maps.google.com," but the second asterisk is more problematic.
Woods constructed a scenario that could leverage Google's own leniency against it. A parameter known as "continue" in place of the second asterisk can redirect a user to any site in Google's domain — or, if done right, to an entirely separate domain.
Let's begin with attacks from within the Google domain. Remember that users can host their own content on Google domains, such as in Google Docs. It would be trivially easy to create a facsimile of a Google login screen, direct a user there, and then phish his or her information. In his video, Woods even demonstrates how a user could save this information right in a Google Drive file.
Speaking of Google Drive, another simple trick would be to redirect a user to a Google Drive file — and while Google Drive does screen for malicious software, the screening process is not perfect. A clever malefactor could trick a user into downloading malware, or into opening a file that contains a link to it, as Woods demonstrates in a video.
Google now has a speedy-loading news service called AMP that caches news articles from other sites on Google News. Woods found that if he embedded an AMP redirect into a Google login string, it would take the person logging into Google to another site. For example,
takes you to the Tom's Guide homepage after logging in with your Google username and password. We tried it ourselves, and found that it works even with Google's two-step verification enabled.
Try it yourself. We promise not to steal your credentials. But there's nothing stopping a malicious attacker from setting up his or her own website that looks exactly like the Google login page, and asking for your credentials again.
That's what Mourikis' proof-of-concept attack does. Using a specially crafted URL that bounces the user to another domain, his attack uses Google's own error message to poach the victim's password.
If you were hoping for a fix from Google, you can keep hoping. Woods documented his conversation with Google’s security team, wherein Google employees explained that the flaw did not seem very serious to them.
"We've investigated your submission and made the decision not to track it as a security bug," they said. "Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users' data are in scope, and we feel the issue you mentioned does not meet that bar."
"If I understand correctly, the only attack scenario you have in mind is phishing," a Google employee named Karshan apparently told Woods. "We invest in technologies to detect and alert users about phishing and abuse."
On his own blog, Mourikis said that Google's security team told him that "The open redirector itself is not a security vulnerability."
An email to Google seeking comment on this issue was not immediately returned.
UPDATE: Google provided a statement to Tom's Guide:
"We appreciate Mr. Woods' research and his work to help improve our users' safety. Like many account-based services, we've enabled these redirects, in part, to provide a simple sign-in experience across sites that also avoids unnecessary friction. In our case, a user may navigate to a site where they can log in with their Google credentials, sign in to their account, and finally be redirected back to the same page they were on initially. In parallel, we're constantly striving to protect users from phishing and other security risks with a variety of safety measures, including Safe Browsing, two-factor authentication and more."