Google Drive could leave a door open for hackers to trick users into installing malware. System administrator A. Nikoci told The Hacker News of a flaw in Drive’s file version management feature, which could allow attackers to trade a legitimate file for malware. The cloud storage service reportedly doesn’t check if a file is of the same type or doesn’t apply for the same extension. A photo of a harmless cat could, therefore, hide malware.
The online preview does not suggest any changes, nor does it generate alarms, so the user may not know that there is a malicious file until it is installed. Chrome seems to “implicitly trust” Drive downloads even when other antivirus programs detect something wrong.
The approach could be used for spear phishing attacks, which trick users into compromising their systems. Therefore, the user could be notified of a document update and take the file without realizing the threat. Nikos said he notified Google of the problem but still did not have a patch on August 22.
The bug would offer a not too difficult way for hackers to allow hackers to attack especially companies that rely on Google Drive for sharing documents.
Removing this vulnerability would force Google to make a significant change to version control of the proposed files in Drive. For now, your best bet may be to use antivirus software and watch out for file update warnings on Google Drive, especially if the user knows absolutely nothing about new versions of alleged files.