Google Drive has a vulnerability that can be exploited to install malware on your computer. This vulnerability is related to a negligent man...
Google Drive has a vulnerability that can be exploited to install malware on your computer. This vulnerability is related to a negligent management of file versions on the storage service.
If like millions of people around the world you use Google Drive to store and share personal or business files, you should be aware that a major vulnerability has recently been discovered in the storage service. It leaves you at the mercy of malware if you frequently download shared files. A security researcher named A. Nikoci shows how the file versioning feature can be exploited by malicious people to spread malware.
In case you don't know it, there is a "manage versions" feature on Google Drive that allows you to view and access all older versions of a file that is hosted and shared on the storage service. It can also be used to replace an old version of the file with a new one while maintaining the same share link.
What is this Google Drive flaw?
It lies in a negligence of the storage service whose consequences could be prejudicial. Indeed, Google Drive does not check file extensions when you download a new version of an existing document. The original file can thus be replaced by an executable in the simplest way. Worse, Google Drive retains the preview of the original file and does not indicate the changes that have been newly made to it.
Needless to say, the flaw leaves the door open for malware to spread on a large scale, especially since Drive is often used as a hosting server for files intended for public downloading. A malicious person can indeed substitute a legitimate file with a faulty version that easily passes Google's verification system.
This is the second vulnerability affecting one of the firm's services that was unveiled this week. Another flaw made it possible to impersonate any Gmail user without their knowledge. A patch has already been deployed, but the Google Drive flaw has not yet received the same treatment. A. Nikoci claims to have informed Google of its discovery, but the flaw has still not been fixed. We therefore recommend that you only download shared documents from trusted people. Public files should absolutely be avoided.