Attackers can add an arbitrary page to the end of a Google login flow that can steal users’ credentials. or alternatively, send users an arbitrary file any time a login form is submitted, due to a bug in the login process.
A researcher in the UK identified the vulnerability recently and notified Google of it, but Google officials said they don’t consider it a security issue. The bug results from the fact that the Google login page will take a specific, weak GET parameter.
“Google’s login page accepts a vulnerable GET parameter, namely ‘continue’. As far as I can determine, this parameter undergoes a basic check,” Aidan Woods, the researcher who discovered the bug, wrote in an explanation of the flaw.