Google has declined to act on a security researcher's report that the online giant's services login page is vulnerable and can be exploited for phishing attacks and to plant malware.
IT security analyst Aidan Woods at British retailer Sainsbury's decided to go public with details on the vulnerability after Google's security team brushed off his report and said it didn't consider it a "security bug".
Woods reported the issue multiple times to Google.
"I couldn't quite believe that Google had both understood this issue, and simply shrugged it off," Woods wrote.
"So I opened several reports to make sure understanding, or communicating the issue wasn't the error here. In total, three reports were opened with Google; three reports were closed."
After some email correspondence with Google's security team, Woods was told his report would be ignored.
"This report will unfortunately not be accepted for our VRP [vulnerability reporting program]. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users' data are in scope, and we feel the issue you mentioned does not meet that bar," Google's security team reportedly told Woods.
"Bummer, we know. Nevertheless, we're looking forward to your next report! To maximise the chances of it being accepted, check out Bughunter University and learn some secrets of Google VRP."
The vulnerability stems from Google's use of the hyper text transport protocol GET "continue" parameter at the login page.
While the parameter ensures that it must point to a google.com subdomain, Woods said the login page application doesn't check which type of Google service has been specified.
This means open redirects to arbitrary domains are possible, which could be used for phishing attacks to steal user credentials.
Furthermore, Woods noted that attackers can plant malicious files on Google Drive with public sharing enabled and point to them through the URL for the login page.
Woods suggested users always check the URL for login pages before entering credentials to avoid falling prey to the vulnerability.
Users should also avoid clicking on links that don't come directly from Google, and avoid running files that look like they have been sent at sign-in.