Google may share your email address with malicious websites

It can happen with just one click

A bug in Google’s single sign-on web widget, YOLO, can be abused by websites to deanonymize visitors via a clickjacking technique, a security researcher has warned.

The exploit means that an individual’s name, profile picture, and email address can be made accessible when they inadvertently click on an invisible button.

Clickjacking is a well-documented technique to create a malicious page in which a click on an apparently harmless element – be it a button or even just somewhere on a webpage – performs an entirely different function than the user intended.

LinkedIn, for example, was forced to change some of its code in 2015 when it was discovered that attackers could hide malicious links for users to click on the networking platform.

Social media sites like Facebook and Twitter have also fallen prey, where the exploit could generate unconscious likes or followers for a specific account or post in a similar technique, aptly called ‘likejacking’.

While this trick isn’t anything new, eyebrows have been raised at its presence in Google YOLO – a widget that authenticates a person’s identity through a single Google login, which is why, in this case, the abbreviation stands for You Only Login Once.

“We've investigated your submission and made the decision not to track it as a security bug,” was the response security researcher File Descriptor received from Google upon reporting the issue earlier this week.

The company added that it wasn’t sure how to fix the problem as “the login widget has to be frameable for it to work”.

Documenting his findings in a blog post, File Descriptor explains that users need to be signed into Google in order for clickjacking technique to be successful.

If they are, a click anywhere could mean leaking personal data to an attacker.

File Descriptor said: “There’s no reliable way to prevent clickjacking, though mitigation can be done on both ends.

“Sites need to proactively deploy X-Frame-Options or Content-Security-Policy header, web widget providers need to make sure sufficient user interactions are required, and users can consider disabling third-party cookies or use browser profiles.”

According to File Descriptor, Google disabled YOLO after he published his blog post, but Eduardo Vela, a security engineer, responded on Twitter by saying that the feature was now only enabled for a number of partner websites.

Vela said: “The feature was open to everyone for a short period of time, and that probably coincided with the time you tested it.”

He added: “As for the reason this was closed as working as intended, it was just done accidentally, we had already an internal bug tracking clickjacking in YOLO.“

Speaking to The Daily Swig, File Descriptor said: “I wasn’t satisfied with the response because they [Google] now tried to restrict the service instead of actually fixing it.

“To be fair though, Google does handle a large amount of security reports on a daily basis.”

File Descriptor suggested a fix that would require first time users to receive a prompt, such as a window pop-up that could confirm any action.

But he told The Daily Swig that the actual fix would be taking down the service given the continued security issue it poses, even on Google’s partner sites.

Comparable bugs have been reported by researchers, with Google tending to take a similar stance on what it considers a security flaw – users having their identity disclosed with just one click doesn’t appear to be one of them.

Making sure your signed out of Google is a sure fire way to protect against this issue. Using Firefox Containers is another way to ensure protection as this isolates one's identity from all other online activity.

“They [Google] sometimes don't care about issues that are not severe enough in their point of view,” said File Descriptor. “I knew this could be one of those.

“Another reason is if they want to fix it they have to remove the service, because the whole point of YOLO is to provide seamless login experience (aka in one click in an iframe), as opposed to the standard Google login popup.”

When asked if Google was planning to fix the issue, Vela said that changes were in the works.