If a bad actor is replacing a file through Manage Versions, Drive will not check if the file is of the same type or not.
Google has an unpatched security loophole in Google Drive, which can be misused by hackers to distribute corrupt or malicious files according to A Nikoci, a system administrator via Hacker News. According to the report, these malicious files will be disguised as legitimate images or documents. Nikoci during the interview said that he has already made Google aware of the bug.
The security loophole is inside of Google Drive’s Manage Versions feature, which allows users to upload and manage different versions of a file. With this, users can track any changes made to their Google Drive files, including editing the file, adding a comment, renaming a folder and more.
According to Nikoci, if a bad actor is replacing a file through Manage Versions, Drive will not check if the file is of the same type or not. He said that the feature is only supposed to replace old files only if the new files are of the same extension, however, that is not the case here.
The online preview feature also does not alert the user during the replacement of the file until it is downloaded or installed. Due to which the user is unaware of the fact that a legitimate file has been replaced with a malicious one. The Chrome browser also does not raise any alarms as it trusts the files being downloaded via Google Drive. However, having a third party antivirus might help you detect the malware.
Nikoci has informed Google about the loophole. However, the company is yet to put out a statement regarding this. However, keeping in mind the companies track record in patching such bugs, we can expect it to release an update soon to fix the issue.
This security bug can be used by bad actors to helm spear phishing attacks. Spear-phishing is basically a technique in which users are to tricked into opening a dangerous file. This leads to the users sharing their confidential information with the hackers directly or them extracting the information secretly by installing malware or spyware onto the user’s system.
In related news, security researcher Allison Husain recently made public a bug impacting Gmail and G Suite email servers. This bug allowed hackers to send spoofed emails on behalf of any Gmail or G Suite user. Google has already patched this bug.