Attackers could exploit the weakness in Google Drive by distributing malicious files disguised as legitimate files or images. A system administrator A. Nikoci reported the flaw to Google, the functionally allows users to upload a new version with any file extension for any existing file on the cloud storage, even with a malicious executable.
An attacker could exploit the weakness by spear-phishing scams, where the victim is tricked into opening messages that include malicious links or attachments, which appears to be real. The recipient unknowingly downloads malware that can give the attacker access to the user’s computer system and other sensitive information like account credentials and confidential data.
Experts pointed out that Google Chrome appears to implicitly trust any file downloaded from Google Drive, even if they are flagged by other antivirus software as malicious. There is no evidence that the vulnerability has been exploited by threat actors in attacks in the wild.
Users must always keep an eye on suspicious emails and Google Drive notifications because the attackers are trying to exploit all the possible points to hide their malicious moves.
Recently, Google has fixed a security flaw in Gmail, which allowed the hacker to send spoofed emails to any Gmail or G Suite customer even when the security policies are enabled.
This security flaw can be used for attackers to attack those companies which rely on Google Drive to share documents. As per the reports, this issue would need a change to Drive’s version.