Google refuses to patch alleged login page flaw

News by Robert Abel

Google is refusing to patch an alleged faulty Login Page after an independent researcher claimed to have spotted a bug.

Google is refusing to patch an alleged faulty Login Page after an independent researcher claimed to have spotted a bug that could allow an attacker to poison the functionality of the login submit action by exploiting its redirect function.

The vulnerability is caused by Google's login page accepting a GET parameter which undergoes a basic check, but fails to verify the type of Google service that has been specified, Aidan Woods said in an Aug. 27 blog post.

This means that it possible to seamlessly insert any Google service at the end of the login process such as Open Redirects and Arbitrary File Uploads, he said in the post.

“Due to Google's stance on open-redirects (even demonstrably unsafe ones – like at login), it is not possible to assume all pages are to be trusted,” Woods said. “For a login process such as Google's: one that is already multi-page by design – this is extremely unintuitive.”

Woods argues that Google's whitelist is too broad and that it should work on selecting known safe sub-domains individually or kill the redirect as a last resort.

The researcher reported his findings to Google on Aug. 19, according to his blog, and after going back and forth Google told the researcher that it made the decision not to track the issue as a security bug.

A Google spokesperson told that the company appreciates Wood's research and that it strives to protect users from various attack vectors.

“Like many account-based services, we've enabled these redirects, in part, to provide a simple sign-in experience across sites that also avoids unnecessary friction,” the spokesperson told SC via emailed comments. “In our case, a user may navigate to a site where they can log in with their Google credentials, sign in to their account, and finally be redirected back to the same page they were on initially.”

Woods has yet to respond to SC for comment.  

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike