Google Drive users beware, hackers can use this flaw to trick you into installing malware

Google Drive: Hackers might be able to trick users of Google Drive into installing a malware, according to A Nikoci, a system administrator. He said that there was an unpatched security loophole in the Drive that could allow hackers to send out files that were malicious, but disguised legitimate images and documents. He also said that he had already made Google aware of the bug.

The security bug is the ‘manage versions’ feature that is offered by Google. It allows users to upload as well as manage different versions of a file. Using this, users can track any changes made to their Google Drive files, including tracking who made those changes. The changes that can be tracked include tracking when someone has edited or commented in Google Docs, renamed a file or a folder, uploaded a new file to a folder, moved an item or removed one, and also when someone has shared or unshared a file or folder.

Nikoci said that this feature should allow users to update a file with a newer version having the same document extension, but that is not the case. He said that this feature is allowing users to update an older file with a new version that might not have the same extension, thus allowing even malicious executables to be uploaded against a legitimate older file.

According to Nikoci, when a malicious file replaces the old file and users preview this file online, they are not made aware of any change. This leaves them vulnerable since they might not know about their legitimate file having been replaced with a malicious one until they have already downloaded it. This loophole can be used by cybercriminals for spear phishing attacks. What’s more is that the Chrome browser implicitly trusts the files downloaded through Google Drive, even when other antivirus software detect or suspect malware.

Spear phishing attacks are ones where users are inadvertently made to open files that have malware. It is usually used to collect confidential information of the targeted users.

This disclosure by Nikoci has come on the heels of another bug that was publicly announced by security researcher Allison Husain. Husain said that a bug in Gmail and G Suite servers was allowing hackers to send spoofed emails on behalf of any of the users of Gmail or G Suite. This bug has been patched by Google.