Google's Gmail login page can be spoofed for a phishing attack, using a frame injection technique and exploiting a Google domain vulnerability.
That claim comes from Adrian Pastor of the GNUCitizen ethical hacking-collective, who has developed a proof-of-concept (PoC) example.
Pastor posted the frame-injection PoC example against Google on the GNUCitizen blog. He explained that frame injection works by inserting the URL of a third-party website into the “targeturl” parameter in the website address, instead of the original Google Image result page.
In the PoC example against Google, the result is a legitimate looking Gmail login page that can be used to launch a phishing attack against users. When a username and password are filled out and the user clicks "submit," their login credentials go to a third-party page controlled by the attacker.
“The attacker has managed to display a non-legitimate third-party page, while the legitimate domain (mail.google.com, in this case) is shown in the address bar,” Pastor wrote in a blog. “The beauty of frame injection attacks is that the attacker is able to impersonate a trusted entity without needing to bypass XSS/HTMLi filters or even break into the target server.”
Pastor's example exploits a cross-domain web application sharing security design flaw in Google's website, which security researcher Aviv Raff reported to Google in April. In his blog, Raff explains that Google applications such as Gmail, Google Maps, Images and News can be accessed across multiple subdomains. Google News can be hosted on the Google Maps subdomain, for example.
The frame injection PoC example takes advantage of Google Images and the Google domain vulnerability allows the spoofed page to come from the Gmail domain. Pastor told SCMagazineUS.com Monday that by taking advantage of the cross-domain sharing issue to display Gmail's domain, an attacker can mount a convincing phishing attack against Gmail users.
Though the PoC example page looks similar to Gmail's login page, a few elements mark it as illegitimate. For one, the address began with “http” not “https.” Gmail is always SSL during login. Also, the top of the frame identifies it as an image search result, further marking the page as suspicious, a Google spokesperson told SCMagazineUS.com Monday.
Google said it is aware of this concept and that if it does turn up as an in-the-wild attack, Google will take steps to address it.
"We're aware of the potential for this kind of behavior when services are hosted across multiple domains, and we take steps to restrict it where we believe it may have security consequences,” a Google spokesperson told SCMagazineUS.com Monday.