Connect with us

Hi, what are you looking for?


Application Security

Researcher Finds Whitelist Bypass on Google Login Page

Google’s login page is plagued by a whitelist bypass vulnerability that could allow an attacker to redirect users to arbitrary pages or trick them into downloading malicious code, security researcher Aidan Woods claims.

Google’s login page is plagued by a whitelist bypass vulnerability that could allow an attacker to redirect users to arbitrary pages or trick them into downloading malicious code, security researcher Aidan Woods claims.

According to the researcher, Google’s login page accepts a vulnerable GET parameter ‘continue’ that undergoes a basic check, and which has to point to a Google service, but which does not verify the type of service that has been specified. Thus, an attacker could insert any desired service at the end of the login process, the researcher says.

Because of that, the vulnerability can be exploited for arbitrary file upload via Google Drive, but also to open redirects via various services. To point the user to an arbitrary file, however, the public link sharing must be enabled after the file has been uploaded to Google Drive.

To exploit the vulnerability for open redirects, an attacker would have to set the value of the vulnerable parameter to “continue=,” which would allow them to send the user to an arbitrary page after login, the researcher explains. Thus, Google’s legitimate login page can be leveraged for phishing attacks.

For example, Woods notes, the user might be told that the password they just introduced is incorrect and asked to reintroduce it. However, the user has been already “unknowingly and seamlessly redirected to an attacker’s website while in the process of logging in to the legitimate,” and they would serve the password to the attacker instead.

The researcher also explains that the ‘continue’ parameter accepts the domain as a value, meaning that an attacker could link to an almost arbitrary file hosted in Google Drive, as long as public link sharing has been enabled for it. What’s more, an attacker can specify the direct download path, thus encouraging the browser to download the file without leaving the legitimate login page, which could determine the user to believe that Google sent the file.

The researcher says that he was able to successfully specify both .html and .exe files and have the browser download them without leaving the login page. Because of that, he says, Google’s login page is plagued with a URL whitelist bypass vulnerability, where the whitelist is the one in place on the ‘continue’ parameter (it would accept only ** domains).

Advertisement. Scroll to continue reading.

Woods also notes that users can prevent this vulnerability from being exploited by always checking the URL (at each stage of the login process), to avoid logging in after clicking links that don’t come directly from Google, and to never run files that appear to come from Google during sign-in.

The researcher also reveals that he sent three different reports to Google to point out the issue. Apparently, only the third report was forwarded to a Google employee, who dismissed it in the end, saying that the issue won’t be tracked as a security bug.

“Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users’ data are in scope, and we feel the issue you mentioned does not meet that bar,” Google told the researcher. However, Woods believes that the security vulnerability is as real as it can be and that the public disclosure might determine Google to change its position on the matter. He even published a video detailing the vulnerability.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...