Last week, I read a blog post about using Google Drive as phishing page to steal users’ account information. In spite of being an user frequently handling Google Drive to store data as well as using Google’s preview function, I was quite surprised when finding this information. I tried the method mentioned instantaneously, then learned its great effects.
About 2-3 days later, I found that the document I used to fake Google login page appeared warning icon right next to its name. Once opened, I realized that Google had fixed this fault.
You could see the fixed document:
Figure 1: The document faking Google login page after Google fixed the fault
Figure 2: The error code 404 returned
Thus, all documents faking Google login page were prohibited from sharing, and we could not execute phishing by the method presented in the blog post. I immediately wondered how Google identified documents faking their login page and how they fixed this fault. They might have checked content of the hash file, or checked the name and images of such documents.
If so, whether or not could we bypass Google’s protecting measure after modifying the file’s name and contents? Also, could we have a way to take advantage of Google Drive’s link displaying to redirect users to an optional website?
Embark on the job:
- Changing content and file path of fake Google login page
The first question raised was that whether or not Google only checked the hash file or checked file name and images used in login page. I managed to change the file’s contents and the names of images in Google login page. Specifically:
- Modifying images’ names then renamed folder containing images with ‘img’ - Changing name of the file ‘css.css’ in image folder into ‘ggcss.css’ and saving it in new folder ‘css’ Google login page was divided into:
Figure 3: Folder containing code of Google login page after being renamed
After the entire folder was uploaded to Google Drive:
Figure 4: The code folder after being uploaded to Google Drive
Figure 5: html file faking Google login page
We could find an encouraging signal when Google Drive did not warn prohibition of sharing document any more. Followings were results when using preview function of Google:
Figure 6: Using Google Drive to execute phishing could still be done
- Using Google Drive to redirect users to an optional website
Fake Google login page could enable hackers to steal users’ information. Besides, preview function of Google Drive could also allow web browser to execute functions in html file. Could we use Google Drive to redirect users to an optional website?
By replacing contents of Google login page with a meta tag, I got an html file with content detailed below:
After uploading document, you could find that preview function of Google Drive was still in use and no warning was given.
Figure 7: Preview function was still in use
As a result, we had preview link: https://googledrive.com/host/0B9wPl0rYfRf7TGVKenJKdGtQaE0/google%20redirect.html
Figure 8: Users being redirected to bkav.com
With this method, hackers could use Google Drive to slyly redirect users to a phishing website. It might also be a fake Google login page again with link path closely the same as Google, google.com.something could be an example.
It was clear that the mechanism Google used to fix the fault was too simple to be bypassed. Therefore, to ensure the safety of our own information, users had better be careful with links sent from Google Drive before Google could find another mechanism to fix the fault.
We keep updating information related to patching this fault of Google in this blog post.
Tong Van Toan