Aidan Woods who is a security researcher at Sainsbury’s in the United Kingdom, recently discovered a vulnerability in Google Account’s login page that could actually give account hackers an ability to easily get into user accounts or simply snip the account holder’s login information.
According to this researcher, although he has numerously reported the matter to Google, the search giant doesn’t seem to be really bothered about this issue and they are not willing to track it as a security bug. This has many Google users across the world confused as to just how dangerous this security fault really is. Do you really think, it is easy to hack mail account provided by such giant and security provider company?
How can you judge you’re a/c is hacked or not?
It may be a little technical for us mere mortals to understand, but in the essence Google’s login page allows for an extra parameter called “continue” to be inserted. This can redirect a user to any URL that starts with “google.com”.
Woods explained in an email to Google as follows : A user who is linked to the legitimate login page for Google, may have a step inserted into the login process [e.g. that steals credentials].
Google responded that it may take up to a week to look into the issue as they are ‘particularly busy’. When they did contact Woods for more details, he wrote:
Using an existing open redirect, it is now possible to send a user to an arbitrary page after login. This opens up the following series of events:
User follows link -> user sees singin prompt -> user verifies domain to be legitimate Google login page -> user types their username -> page redirects -> user types their password -> page redirects -> sorry, incorrect password -> user re-types their password -> page redirects to Google service.
In the stage where a user is told their password is incorrect, they would have been unknowingly and seamlessly redirected to an attacker’s website while in the process of logging in to the legitimate google.com.
Detailed Explanation :
You can read Wood’s detailed explanation on his blog page at Aidanwoods.com and stay abreast of Google’s response as this story develops. You can also share your stories like this at his youtube video (below we attach video) and let’s try to get help from the team of Google or any other related person.
In the meantime, always be cautions when asked to re-enter your password and if you’re asked to give your password or other personal information, double-check the URL to make sure it is still coming from Google.com and not another site. If it isn’t from Google, you may be the victim of a live hacking attack.
This search vulnerability alert was brought to you by Sekari: Search Optimised Content Agency in Dubai. Some of the text has take from the Aidanwoods.com as that person is faced this problem.
Woods created a video that explains how the vulnerability works: