Google login pages aren’t safe at all, research finds
Taking a deeper look at Google’s
service login pages, researcher
Aidan Woods discovered that it’s “possible to seamlessly insert any Google
service at the end of the login process”.
In short, this flaw allows dark lords
of the web to insert additional parameters, websites or even Google Docs files
into the URL of a login page. The website would be hidden aesthetically,
instead showing a Google login page.
Woods
does give a few pointers to end users though:
- Always check the URL – before entering credentials – including at each stage of the login process
- Avoid login after
clicking links that don’t come directly from Google – bad links could be
anywhere: even Google search results
An example use case would be behind the ruse of user protected content that requires sign-in (e.g. content on Google Drive) - If it looks like Google sent you a file at sign-in, don’t run it. Regardless of what it is named, you can’t trust it.
Full report along with the
correspondence with Google | https://www.aidanwoods.com/blog/faulty-login-pages
Regards
Pralhad Jadhav
Senior Manager @ Library
Khaitan & Co
Note | If anybody use these post for forwarding
in any social media coverage or covering in the Newsletter please give due
credit to those who are taking efforts for the same.
No comments:
Post a Comment