Google has said it will not fix a potential security flaw that could trick a user into downloading malware from its login window.
(Image: stock photo)
The company told security researcher Aidan Woods it “made the decision not to track” his bug bounty submission as a vulnerability.
Woods explained on his blog that Google’s login screen allows an app or service to redirect to a page after the user signs in.
The theory goes that an attacker could trick a user into clicking a link that points to a malware file.
But Google said that the redirect page has to fall within “*google.com” domains, limiting its impact.
The problem, said Woods, is that malware hosted on “drive.google.com” or “docs.google.com” which fall within the Google subdomain parameters could still be used to serve up malware, and hide it as a genuine Google login page.
The search giant said in its reply to Woods: “Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users’ data are in scope, and we feel the issue you mentioned does not meet that bar.”
Woods, believing Google didn’t fully understand the issue, published the full exchange of emails on his blog.