In a network drive American company found the vulnerability that allows to use it for fraud.
How do I find “News”, through online store Google Drive can be made spam submissions. Vulnerability correspondent confirmed experts antivirus company “Doctor Web”.
According to experts J’Son and Partners, the number of Google Docs users worldwide exceeds 425 million.
Google Docs – an integral part of the network information storage Google Drive, which allows authorized users to Google in real-time to create and edit documents that are compatible with the formats of Microsoft Word, Excel and PowerPoint, and also allows you to share these documents mail users Gmail. However, the function access settings made in such a way that it can be used to carry out spam submissions.
Creating a document docx format in your personal account, a user by clicking the “Access Setup” can enter the email addresses of all email users to Gmail, you need to send the document. After you click “Finish” in the personal office users victims whose addresses have been added, the document will appear. The resolution on the appearance of the document in their personal account no one asks.
The specialists of “Doctor Web” reservation that use this method for large-scale spamming unprofitable, as the maximum number of users who can be granted access to the document – 200.
The company Symantec, which specializes in data protection, said that the automatic delivery of documents to anyone – in any case not a good idea.
– There are several reasons: an attacker can take advantage of the opportunity to litter foreign mailboxes, transferring people to unnecessary content, harassment, false information, and attempts to attack users, etc., – says head of information security Symantec Oleg Shaburov. – Like any self-respecting provider, Google, probably check downloaded files for malicious content. However, an attacker can create a sample code that can not be detected by Antivirus, perhaps simpler way: for example, put in a file link to an infected site.
According to him, c in terms of safety and comfort it is reasonable to allow the user to affect the ability of other people to add documents in Google Drive. For example, create a list of those who can add documents without any additional permits or only after confirmation of the account holder, etc.
– This measure would make the system more flexible, convenient and safe – sums Shaburov.
This mistake Google is dangerous for another reason: in October, the specialists of “Kaspersky Lab” found that if the body of the letter sent from Gmail to Gmail, insert a link to a document Google Docs, then this link is verified by means of the built-in anti-virus mailer.
– Sometimes the link in the spam leads to a document Google, and the document already contains an advertisement. This is done to bypass content filters. In addition, the form google.spreadsheets (online spreadsheet, similar to MS Excel. – «Izvestiya”) recently often used by fraudsters to steal users’ email addresses, – says head of content-based analyst, “Kaspersky Lab” Daria Gudkov. – Users receive a letter supposedly from the mail administrator, where, under various pretexts – for example, under the pretext that exceeded the limit mailbox size – the user is asked to link to a table on Google. There he was prompted to enter a username and password from the mailbox, and once they click submit, the data sent to the fraudsters.
Thanks to a new vulnerability fraudsters can go the other way: remove the need to send a letter referring to documents Google. By creating a new document, to give it an interesting name, and open to access to potential victims who will receive a notification from Google. It will be said that open access to the file with any great name – for example, “Top Secret.” Typically, hackers play it on curiosity victim.
Services that allow to read, but not edit Microsoft Office format documents online, there is also a company “Yandex” and Mail.ru Group. They, as well as in Gmail, when you view the document in order to safely disable the macros.
In “Yandex” has reported that their service converts the documents in Hypertext Markup Language – html, which allows the user to read and view the contents of the document, without fear that the operation of “sewn” macro that can be harmful.
In the postal service Mail.Ru is also possible to send documents to others, knowing their e-mail.
– We have the documents sent by regular mail (as attachments), and therefore, like any other letter, checked all of our anti-spam filters. In today’s world, any opportunity to send a message to another user may lead to the fact that spammers are starting to use it. Accordingly, the objective of any service – to ensure adequate protection so that users do not suffer. I think that Google has simply not thought about how to connect the anti-spam technology to share documents, but if the problem will become a massive scale, I’m sure they will take care of.