SoylentNews is people
SoylentNews
The Hacker News is reporting an exploitable feature of Google Drive could allow an attacker to replace legitimate files with files of their choosing.
An unpatched security weakness in Google Drive could be exploited by malware attackers to distribute malicious files disguised as legitimate documents or images, enabling bad actors to perform spear-phishing attacks comparatively with a high success rate.
The latest security issue—of which Google is aware but, unfortunately, left unpatched—resides in the "manage versions" functionality offered by Google Drive that allows users to upload and manage different versions of a file, as well as in the way its interface provides a new version of the files to the users.
Logically, the manage versions functionally should allow Google Drive users to update an older version of a file with a new version having the same file extension, but it turns out that it's not the case.
According to A. Nikoci, a system administrator by profession who reported the flaw to Google and later disclosed it to The Hacker News, the affected functionally allows users to upload a new version with any file extension for any existing file on the cloud storage, even with a malicious executable.
As shown in the demo videos—which Nikoci shared exclusively with The Hacker News—in doing so, a legitimate version of the file that's already been shared among a group of users can be replaced by a malicious file, which when previewed online doesn't indicate newly made changes or raise any alarm, but when downloaded can be employed to infect targeted systems.
"Google lets you change the file version without checking if it's the same type," Nikoci said. "They did not even force the same extension."
(Score: 2) by darkfeline on Tuesday August 25 2020, @08:08PM (3 children)
This guy is really stretching to portray this as a vulnerability. First of all, file types and extensions aren't even a real thing. File extensions are at best advisory, and file types aren't well defined (is an MKV containing different streams and encodings different or same file type? Is two different file format versions for the same application different or same file type? Are compiled executables all the same file type? Are executable scripts the same file type as compiled executables?) How would you even enforce such a hypothetical restriction? Note that you can't execute files from Google Drive, you have to download them first, and it's up to the client what file extensions and/or executable bit is set on the saved file.
Second, if the attacker can already upload malicious files, you're screwed. This is like complaining that a root user on *nix can replace /etc/xorg.conf with a malicious executable. No shit.
Join the SDF Public Access UNIX System today!
(Score: 2) by sjames on Thursday August 27 2020, @05:15PM (2 children)
It's confusing all around. In a sane filesystem, file.exe and file.doc are two distinct files for the simple reason that the names are different. SOME OSes attach special meaning to the extension. Some OSes foolishly hide the "extension" (which is really just part of the file name).
The problem is that it is possible to get people used to clicking on "CurrentRoster" with the hidden extension .doc and then upload CurrentRoster.exe, getting Google to consider it just another version of CurrentRoster.doc (That's the WTF). Users click it as usual (since .exe was hidden) and run malware.
(Score: 2) by darkfeline on Friday August 28 2020, @02:54AM (1 child)
"File" "names" are not unique in Google Drive. You can upload multiple files all named "foo.txt". So that's not the issue at all.
Google Drive files all have a unique ID separate from their name. You can rename a file and links to the same unique ID will keep pointing to the same file.
This is about someone replacing a MKV file with an executable, so that when someone goes to download it and double click on it, they get pwned. I don't know how Windows works, but changing the extension is optional if the file manager parses the file header to determine how to open it.
Join the SDF Public Access UNIX System today!
(Score: 2) by sjames on Saturday August 29 2020, @03:52AM
This is more or less the opposite. Watch the demo videos in TFA.
Quick synopsis, upload NiceStory.pdf. Reassuring thumbnail of a .pdf appears. Then Manage versions and upload NiceStory.pdf.exe as a new version. In spite of the file now being a .exe, the .pdf thumbnail is still there. Share with world, send email inviting people to read it. They see the re-assuring thumb of a PDF and the name NiceStory.pdf. Open it in Drive and they see the PDF with a nice story. Decide to download for later, they get the .exe even after they took the precaution of previewing in Drive to make sure it was a safe PDF.
So it's not just the name that gets mixed up. If uploading the .exe changed the thumbnail and meant it would no longer open as a PDF in Drive, it would be fair enough. What you see is not what you'll get.
MS gets some of the blame, whoever had the "brilliant" idea to hide file extensions deserves to be beaten with a bucket of wet squirrels, but Drive gets some blame too for enabling the slight of hand.