Google Drive is the victim of a flaw that can be exploited to install malware on your computer. This vulnerability is related to carelessness in managing file versions on the storage service.
If like millions of people around the world you use Google Drive to store and share personal or work files, you should know that a major flaw has recently been discovered in the storage service. It leaves you at the mercy of malware if you frequently download shared files. A security researcher named A. Nikoci demonstrates how the functionality of file version management can be exploited by malicious people to spread malware.
In case you didn't know, a "manage versions" function on Google Drive allows you to see and access all the old versions of a file hosted and shared on the storage service. It can also be used for replace an old version of the file with a new file while keeping the same sharing link.
What is this Google Drive flaw?
It lies in negligence of the storage service, the consequences of which could be harmful. This is because Google Drive does not check file extensions when you upload a new version of the already existing document. The original file can thus be replaced by an executable in the simplest way. Worse, Google Drive keeps the preview of the original file and doesn't show any newly made changes to it.
It goes without saying that the flaw leaves the door open for the spread of malware on a large scale, especially since Drive is often used as a hosting server for files intended for download by the public. A malicious person can indeed substitute a legitimate file with a corrupted version which easily passes Google's verification system.
This is the second vulnerability affecting a service of the firm that was revealed this week. Another flaw made it possible to impersonate any Gmail user without their knowledge. A fix has already been deployed, but the Google Drive flaw has not yet received the same treatment. A. Nikoci claims to have informed Google of its discovery, but the flaw has still not been fixed. We therefore recommend that you only download shared documents from people you trust. The public files should absolutely be avoided.
Source : The Hacker News
- Google Drive
- Share
- Tweet
- Share
- Envoyer à un ami