HIGHLIGHTS Google Drive has an unpatched bug in its Manage Versions feature. The feature lets users upload and manage different versions of ...
HIGHLIGHTSGoogle Drive has an unpatched bug in its Manage Versions feature.
The feature lets users upload and manage different versions of a file.
Given the bug, a hacker could easily replace a legitimate file with a malicious one for the users.
Google Drive has a flaw that can allow hackers to fool users to install malware as per A Nikoci, a system administrator. Nikoci, in an interview with Hacker News, said that an unpatched security loophole in Google Drive could be misused by hackers to distribute corrupt or malicious files disguised as legitimate images or documents. He said that he has made Google aware of the bug.
The security bug is in Google Drive's Manage Versions feature. The Manage Versions feature allows users to upload as well as manage different versions of a file. Using this, users can track any changes made to their Google Drive files, including tracking who made those changes.
The changes that can be noticed include tracking when someone has edited or commented in Google Docs, renamed a file or a folder, uploaded a new file to a folder, moved or removed an item, and also when someone has shared or unshared a file or folder.
As per reports, when a file is being replaced through Manage Versions, Google Drive does not check to see if a file is the same type, or even enforce the same extension. Nikoci stated that the feature is supposed to replace older files only if the new files are of the same extension but it is not the case. Moreover, the online preview does not caution the user or raise any alarms during the replacement of the file till it is downloaded or installed. Thus, users are not aware of their legitimate file being replaced with malicious ones thereby causing damage. Google Chrome browser trusts files downloaded through Google Drive even when other antivirus software detect malware.
The security bug can be used by hackers for spear phishing attacks. Spear phishing attacks aim at retracting confidential information of users to cause them harm.
Google is yet to issue an official statement on this but the company has recently fixed a high-severity flaw in the latest version of Chrome browser that could lead to code execution, as per a latest report by IANS.
The Google Chrome web browser had a use-after-free vulnerability in its "WebGL" component that could allow a user to execute arbitrary code in the context of the browser process. With proper memory layout manipulation, an attacker can gain full control of this use-after-free vulnerability which could ultimately lead to arbitrary code execution in the context of the browser.
According to Jon Munshaw from Cisco Talos, the security researchers worked with Google to ensure that these issues are resolved and that an update is available for affected customers.
"This vulnerability specifically exists in ANGLE, a compatibility layer between OpenGL and Direct3D that Chrome uses on Windows systems," Munshaw told IANS on Monday.
A hacker could manipulate the memory layout of the browser in a way that they could gain control of the use-after-free exploit, which could ultimately lead to arbitrary code execution.
COMMENTS