[innoying]

I totally agree. I don't even see how the impact is even more than the open-redirects which already exist. You could do this exact same exploit against tons of providers (Facebook, Twitter, etc) via the standard OAuth flow and the 'redirect_url' parameter.

[peteretep]

Because I go to a page, check the green padlock and all that noise, it's all legit, enter my credentials, oops I typed them in wrong, try again, right now I'm logged in properly... I would say I am dramatically less likely to exercise as much caution on the "Ooops wrong credentials" page having checked the original one.

[developer2]

I'm the type of person who can't fathom actually falling for a phishing attack. As a tech-savvy software developer, it is extremely unlikely I will ever be successfully attacked via a phishing email, text message, blog/forum link, etc. If the initial link I follow could possibly be questionable, I look at the domain before logging in. I must be part of much less than 10% of the population that is at least that informed and vigilant.

I hadn't considered login redirects. This attack vector is one I can see myself falling for. Sign in on the legitimate google.com domain. Whoops, I just mistyped my Google password - not a rare occurrence. An exact replica of the "incorrect password" page has me type in my password again. Then they have a replica of the two-step authentication screen. I enter in the valid TOTP code, and now I've just given a third-party full access to my Google account.

This should absolutely be considered a serious threat. Hell, the only thing we freaking teach non-tech-savvy people to do is to look at the domain name. This attack vector completely bypasses that common understanding of how to detect phishing. There is absolutely no way I should land on a 3rd party domain after authenticating, without at least an interstitial page informing me I am heading off of Google's properties. Any redirect chain specifically from login should require landing on a Google domain, or have an interstitial. This doesn't need to be done globally for all redirects - just from login.

Oh well, I learned something new today. Re-check the domain you are on every time you type in credentials. You can't rely on your initial entry page being on the right domain, you have to be paranoid to the point of insanity every time you touch your keyboard.

[peteretep]

And the best part is you don't know it happened because after you've filled in the fake page, they redirect you again to a Google page you did need to be signed in for, and you're now logged in (from the first page).

If people ever send you Google Docs links, you're likely vulnerable unless you are as vigilant on the "Wrong Password" page as you were on the initial one.

[woliveirajr]

It's worst than that. Below (or somewhere in this thread) you'll find some example posted by kuschku: you don't land in someone else domain, you're still in the Google domain, you'll just find out that you're viewing someone's else page if you see the full URL.

[mentat]

If you're that confident that you have either already been phished or haven't had someone try. It happens, you make a mistake, you click too fast. A little humility goes a long way.

[praxulus]

Perhaps it's just safer to use a password manager for everything.

[Godel_unicode]

Somewhere, Tavis Ormandy is cringing.

[niij]

Does he have a statement regarding password managers?

[Godel_unicode]

He's been finding bugs galore in them recently.

https://mobile.twitter.com/taviso/status/769391927892598784

Edit: this one is better

https://mobile.twitter.com/taviso/status/769378052254015488