From an IT admin’s report, Google Drive has a serious working flaw to let users update their files without being properly checked. The malicious process targets the “Manage Versions” feature of Drive, which allows an old file to be replaced by a new updated file, without being checked. And since the files from Drive are believed to be genuine by Chrome, users may fall for phishing attacks.

Google Drive’s Incomplete Feature turns to a Bug

A. Nikoci, a system administrator who reported this possible hacking process to Google, is waiting for the patch even now. So do we all. The flaw could be exploited through a phishing attack, and trick users to give up their credentials eventually. He explained that Drive’s “manage versions” feature, something that would let users update their files within whenever there’s an update.

Demo 1

Demo 2

Demo 3

So an attacker who’s intended to hack a person would send a fake update notification to the targets, tricking him to download the notified file to update. Amidst this process of uploading a new updated file, the Drive wouldn’t check what file is being replaced. For example, a .jpg file showing an image file should be updated with an almost similar .jpg file, but never with a .exe (executable file), which could be a malware.

Since this basic check is skipped by Drive, attackers can trick users to replace the original file with a malicious file, possibly a malware file. And when opened/installed, it could steal data as a backdoor. Even if not, researchers said a possible phishing campaign could be conducted for stealing credentials.

This process is so effective for attackers, since the Chrome, from where most of the Drive files are accessed in desktop, blindly believes any file downloaded from Drive to be legit, thus raising no warnings to users. This support sometimes skips the bells from antivirus softwares for protection, thus failing users at the end. Google was informed of this bug but didn’t patch it yet.

LEAVE A REPLY

Please enter your comment!
Please enter your name here