Google refuses to patch alleged login page flaw

The vulnerability is reportedly caused by Google’s login page accepting a GET parameter which undergoes a basic check.
The vulnerability is reportedly caused by Google’s login page accepting a GET parameter which undergoes a basic check.

Google is refusing to patch an alleged faulty Login Page after an independent researcher claimed to have spotted a bug that could allow an attacker to poison the functionality of the login submit action by exploiting its redirect function.

The vulnerability is caused by Google's login page accepting a GET parameter which undergoes a basic check, but fails to verify the type of Google service that has been specified, Aidan Woods said in an Aug. 27 blog post.

This means that it possible to seamlessly insert any Google service at the end of the login process such as Open Redirects and Arbitrary File Uploads, he said in the post.

“Due to Google's stance on open-redirects (even demonstrably unsafe ones – like at login), it is not possible to assume all pages are to be trusted,” Woods said. “For a login process such as Google's: one that is already multi-page by design – this is extremely unintuitive.”

Woods argues that Google's whitelist is too broad and that it should work on selecting known safe sub-domains individually or kill the redirect as a last resort.

The researcher reported his findings to Google on Aug. 19, according to his blog, and after going back and forth Google told the researcher that it made the decision not to track the issue as a security bug.

A Google spokesperson told SCMagazine.com that the company appreciates Wood's research and that it strives to protect users from various attack vectors.

“Like many account-based services, we've enabled these redirects, in part, to provide a simple sign-in experience across sites that also avoids unnecessary friction,” the spokesperson told SC via emailed comments. “In our case, a user may navigate to a site where they can log in with their Google credentials, sign in to their account, and finally be redirected back to the same page they were on initially.”

Woods has yet to respond to SC for comment.