SoylentNews is people
SoylentNews
The Hacker News is reporting an exploitable feature of Google Drive could allow an attacker to replace legitimate files with files of their choosing.
An unpatched security weakness in Google Drive could be exploited by malware attackers to distribute malicious files disguised as legitimate documents or images, enabling bad actors to perform spear-phishing attacks comparatively with a high success rate.
The latest security issue—of which Google is aware but, unfortunately, left unpatched—resides in the "manage versions" functionality offered by Google Drive that allows users to upload and manage different versions of a file, as well as in the way its interface provides a new version of the files to the users.
Logically, the manage versions functionally should allow Google Drive users to update an older version of a file with a new version having the same file extension, but it turns out that it's not the case.
According to A. Nikoci, a system administrator by profession who reported the flaw to Google and later disclosed it to The Hacker News, the affected functionally allows users to upload a new version with any file extension for any existing file on the cloud storage, even with a malicious executable.
As shown in the demo videos—which Nikoci shared exclusively with The Hacker News—in doing so, a legitimate version of the file that's already been shared among a group of users can be replaced by a malicious file, which when previewed online doesn't indicate newly made changes or raise any alarm, but when downloaded can be employed to infect targeted systems.
"Google lets you change the file version without checking if it's the same type," Nikoci said. "They did not even force the same extension."
(Score: 2) by darkfeline on Friday August 28 2020, @02:54AM (1 child)
"File" "names" are not unique in Google Drive. You can upload multiple files all named "foo.txt". So that's not the issue at all.
Google Drive files all have a unique ID separate from their name. You can rename a file and links to the same unique ID will keep pointing to the same file.
This is about someone replacing a MKV file with an executable, so that when someone goes to download it and double click on it, they get pwned. I don't know how Windows works, but changing the extension is optional if the file manager parses the file header to determine how to open it.
Join the SDF Public Access UNIX System today!
(Score: 2) by sjames on Saturday August 29 2020, @03:52AM
This is more or less the opposite. Watch the demo videos in TFA.
Quick synopsis, upload NiceStory.pdf. Reassuring thumbnail of a .pdf appears. Then Manage versions and upload NiceStory.pdf.exe as a new version. In spite of the file now being a .exe, the .pdf thumbnail is still there. Share with world, send email inviting people to read it. They see the re-assuring thumb of a PDF and the name NiceStory.pdf. Open it in Drive and they see the PDF with a nice story. Decide to download for later, they get the .exe even after they took the precaution of previewing in Drive to make sure it was a safe PDF.
So it's not just the name that gets mixed up. If uploading the .exe changed the thumbnail and meant it would no longer open as a PDF in Drive, it would be fair enough. What you see is not what you'll get.
MS gets some of the blame, whoever had the "brilliant" idea to hide file extensions deserves to be beaten with a bucket of wet squirrels, but Drive gets some blame too for enabling the slight of hand.