_edited_edited.jpg

The Overheard Blog

by Overseer Security

  • Overheard

Google Drive Vulnerability Tricks Users Into Installing Malware

This latest security issue in a G Suite product comes after a recently fixed security flaw in Gmail that could have allowed a threat actor to send spoofed emails mimicking any Gmail or G Suite customer, even with strict DMARC/SPF security policies enabled. This particular issue exists due to the Google Drive manage versions functionality combined with the way the Drive interface exposes a new version of the file to a user.


The "Manage Version" Feature Vulnerability


The manage version feature allows Google Drive users to upload and manage different versions of a file. This feature allows a malicious actor to upload a harmless image or document file to Drive and then update this file by uploading a different "version" of this file. This new version can actually be an executable (e.g. a Windows exe file) and is not restricted to the same file-type as the parent file.


The Google Drive Interface Vulnerability


Unfortunately, this story gets worse. A malicious attacker can now send this file to a victim using the built-in Google Drive sharing feature. When the user receives and clicks on the email notification, Drive shows them a file preview featuring only the original harmless image or document. The file name and extension displayed also clearly indicates just the original harmless file (e.g. it is displayed as a PDF or JPG or PNG). However, an attempt at downloading this file actually downloads the malicious executable "version" of the file to the victims computer. If the victim is not paying attention to the file extension after the download, their instinct will likely be to click on the dowloaded file to launch it.





The issue has been reported to Google but, unfortunately, has not been patched yet.


References:

https://thehackernews.com/2020/08/google-drive-file-versions.html

Thanks, you made the right choice!

A verification email has been sent to the provided address.