The security bug is said to be the ‘manage versions’ feature offered by Google Drive that allows users to upload and manage different versions of a file. The feature allows user to see changes made to his/her files in Drive and keep track of who made those changes. You might see changes when someone: edits or comments in Google Docs, rename sa file or folder, moves or removes a file or folder, uploads a new file to a folder and shares or unshares an item.
As per Nikoci the ‘manage versions’ functionally should allow users to update an older version of a file with a new version having the same file extension, however, this is not the case. “…the affected functionally allows users to upload a new version with any file extension for any existing file on the cloud storage, even with a malicious executable,” told Nikoci to The Hacker News.
In a demo video, which Nikoci shared with the website, he shows a legitimate version of the file that is already shared among a group of users being replaced by a malicious file. The file when previewed online does not alert users about any change. “Google lets you change the file version without checking if it’s the same type,” Nikoci claimed. He said that Google Drive did not even require the file to have the same extension.
The loophole, according to him can be used by cybercrminals to launch spear-phishing attack. For, the user may not know that there’s a dangerous file until he/she has already installed it. He said that to add to the problem, Chrome appears to “implicitly trust” the Drive downloads even when other antivirus programs suspect malware.
For the uninitiated, spear phishing attacks are those where users are to tricked into opening dangerous attachments or clicking on malware-laden links. This may lead to them sharing their confidential information or an spyware r other dangerous software getting installed secretly in their device.
The disclosure comes just days after security researcher Allison Husain publicly disclosed a bug impacting Gmail and G Suite email servers that allowed hackers to send spoofed emails on behalf of any Gmail or G Suite users. Google has already patched this bug.
“Due to missing verification when configuring mail routes, both Gmail’s and any G Suite customer’s strict DMARC/SPF policy may be subverted by using G Suite’s mail routing rules to relay and grant authenticity to fraudulent messages. This is notably not the same as classic mail spoofing of yesteryear in which the From header is given an arbitrary value, a technique which is easily blocked by mail servers using the Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC). This issue is a bug unique to Google which allows an attacker to send mail as any other user or G Suite customer while still passing even the most restrictive SPF and DMARC rules,” said Husain in the post.