As usual I was reading the news on The Hacker New security portal when a post attracted my attention, another security issue related to an IT giant, Google. The Indian penetration tester Ansuman Samantaray discovered a security flaw in Google drive that exposes millions of Google users to threat of phishing attacks.
Too bad that Google has ignored the warning underestimating the risks and replying to the researcher that
Analyzing in detail the URL used to upload or create a file on Google Drive/Docs is possible to note the value “download” for the attribute “export” that alow user to download the document.
The Indian pentester demonstrated that if an attacker changes “export” parameter to “view“, the malicious code written in the document file created is executed by the browser.
The researcher at THN also provided proof of flaw, they uploaded a file on Google Drive and using the attribute value download.
meanwhile following there is the same link using view value for the export attribute.
Clickjacking Flaw was refused by Google, that later extends to phishing attack.