We select and review products independently. When you purchase through our links we may earn a commission. Learn more.

A Google Drive Flaw Lets Hackers Trick You Into Downloading Malware

The Google Drive Logo in front of a series of hard drives.
Michael Crider/zentila/Shutterstock

Google Drive is one of the more trusted cloud services out there, but that doesn’t mean it’s perfect. As System administrator A. Nikoci tells The Hacker News, bad actors can exploit flaws in Google Drive’s manage versions feature to trick you into downloading malware.

To demonstrate, A. Nikoci put together a YouTube video that shows the process. To start, the bad actor needs to upload a legitimate file, like a PDF, and create a shareable link for it. Google Drive will do its thing and generate previews, and the like so anyone who follows the link can see what the file contains.

But the next step is where things get nefarious. Google Drive has a “manage versions” feature that lets you update a file and keep the same shareable link. That’s useful if you needed to make some changes to a file you’ve already sent out.

It seems Google Drive doesn’t take as close a look at the new file as it did the original. You can change out the file entirely, even if it has a new extension like .exe, and that doesn’t trigger an update to the preview or update the file name and extension in the shared link site.

The only real indications are a change to the file icon (it no longer shows a pdf icon for instance), and when you download the file it will reveal the .exe extension. Of course, that could be too late for the right kind of malware. Or you might have the “open when finished downloading” option going.

Google Drive doesn’t seem to scan the updated file closely enough to realize it’s malware, even when SmartScreen and other antivirus programs catch the problem. Nikoci says he notified Google of the problem two days ago, but the company hasn’t corrected it.

Here’s hoping that changes soon.

via The Hacker News

Josh Hendrickson Josh Hendrickson
Josh Hendrickson is the Editor in Chief of Review Geek and is responsible for the site's content direction. He has worked in IT for nearly a decade, including four years spent repairing and servicing computers for Microsoft. He’s also a smart home enthusiast who built his own smart mirror with just a frame, some electronics, a Raspberry Pi, and open-source code. Read Full Bio »