From an IT admin’s report, Google Drive has a serious working flaw to let users update their files without being properly checked. The malicious process targets the “Manage Versions” feature of Drive, which allows an old file to be replaced by a new updated file without being checked. And since the files from Drive are believed to be genuine by Chrome, users may fall for phishing attacks.
Google Drive’s Incomplete Feature turns into a Bug.
A. Nikoci, a system administrator who reported this possible hacking process to Google, is waiting for the patch even now. So do we all. The flaw could be exploited through a phishing attack and trick users into giving up their credentials eventually. He explained that Drive’s “manage versions” feature would let users update their files whenever there’s an update.
Demo 1
Demo 2
Demo 3
So an attacker who’s intended to hack a person would send a fake update notification to the targets, tricking them into downloading the notified file to update. Amidst this process of uploading a new updated file, the Drive wouldn’t check what is being replaced. For example, a .jpg file showing an image file should be updated with an almost similar .jpg file, but never with a .exe (executable file), which could be malware.
Since Drive skips this basic check, attackers can trick users into replacing the original file with a malicious file, possibly a malware file. And when opened/installed, it could steal data as a backdoor. Researchers said a possible phishing campaign could be conducted for stealing credentials even if not.
This process is so effective for attackers since Chrome, from where most of the Drive files are accessed on the desktop, blindly believes any file downloaded from Drive to be legit, thus raising no warnings to users. This support sometimes skips the bells from antivirus software for protection, thus failing users at the end. Google was informed of this bug but didn’t patch it yet.
