Attackers may deceive you to install malware for a Google Drive flaw
The cloud storage service reportedly doesn’t check to see if a file is of the same type, or even enforce the same extension
There is way in Google Drive which can let hackers trick you to install rogue code.
Attackers can swap a file with malware allowed by a feature called "manage versions", a flaw in the drive, according to System Administrator A Nikoci, reports Engadget.
The cloud storage service reportedly doesn't check to see if a file is of the same type, or even enforce the same extension. An innocuous cat photo may be a program in disguise.
The online preview doesn't hint at any changes or raise alarms, so you might not know there's a problematic file until you've already installed it. Chrome seems to "implicitly trust" the Drive downloads even when other antivirus programs detect something amiss.
The approach could be used for spear phishing attacks that trick users into compromising their systems. You might get a notification of a document update and grab the file without realizing the threat.
Nikoci said he notified Google about the issue, but that it was still unpatched as of August 22nd. We've asked Google for comment.
This would mainly be useful for attacking companies that rely on Google Drive for sharing documents, but that's increasingly common. The description also suggests that this would require a significant change to Drive's version control. For now, the best solutions may be to use antivirus software and be wary of Google Drive file update alerts, especially if you weren't expecting them.
