Google Drive has an unpatched security weakness which could be exploited by attackers to distribute malicious files disguised as legitimate documents or images, and let them conduct spear-phishing attacks.
The latest security issue resides in the “manage versions” functionality provided by Google Drive that allows users to upload and manage different versions of a file, as well as in the way its interface provides a new version of the files to the users.
The manage versions functionality must allow Google Drive users to update an older version of a file with a new version having the same file extension.
According to A. Nikoci, the person who reported the flaw to Google, this functionality allows users to upload a new version with any file extension for any existing file on the cloud storage, even with a malicious executable.
While doing so, a legitimate version of the file that has already been shared among a group of users can be replaced by a malicious file, which when previewed online doesn’t show newly made changes, but when downloaded can be employed to infect targeted systems.
Google allows you to change the file version without checking if it is the same type.
This issue can allow for highly effective spear-phishing campaigns that take advantage of the widespread prevalence of cloud services such as Google Drive to distribute malware.
This issue occurred when Google recently fixed a security flaw in Gmail that could have allowed a threat actor to send spoofed emails mimicking any Gmail or G Suite customer, even when strict DMARC/SPF security policies are enabled.
Google is aware of this security issue but has somehow left it unpatched.
Spear-phishing scams try to trick recipients into opening malicious attachments or clicking links which leads them to provide confidential information, like account credentials, to the attacker in the process.
The links and attachments can also be used to make the receiver download malware unknowingly that can give the attacker access to the user’s computer system and other sensitive information.
Google Drive’s file update feature was supposed to be an easy way to update shared files, including the ability to replace the document with a completely new version from the system. So, a shared file can be updated without changing its link.
But without any validation for file extensions, when users of the shared file, upon notification of the change via an email, may download the document and unknowingly infect their systems with malware.
This can lead to whaling attacks, a phishing tactic used by threat actors to disguise as senior management personnel in an organization and target specific individuals, to steal sensitive information or gain access to their computer systems for criminal purposes.
Google Chrome also seem to trust the files downloaded from Google Drive even when they are detected by some other antivirus software as malicious.
There is no evidence of this flaw being exploited in the wild, but still it would not be difficult for attackers to exploit it.
It is advised that the users must watch for any suspicious emails, including Google Drive notifications, to prevent any risk.
Image Credits : TechTalks