Google Meets Vulnerabilities Research - absentee-neptune/Senior-Capstone GitHub Wiki
What it has access to:
- Microphone
- Camera
- Computer Screen
Common Google Meets Vulnerabilities found so far:
- Identity theft leading to unauthorized access to meetings, based on social engineering
- When someone asks for entry to a meeting, only their name set on their google account is shown to the host, not their mail-id (email address)
- Google Meet URL redirection feature that can lead users to spoof domains and become victims of cybercrime.
- During Google Meet sessions when users are redirected by Google to follow a URL. Google converts these URLs into Open Redirects that lead the user to another website. Now, this website is chosen by the person who developed that bridging link. When this link is posted in personal messages over Google Meet, they appear as a Google Meet link which eventually takes the users to their desired URL.
- Cybercriminals can lure the users using this URL and make them a target of a phishing attempt. They can ask the user to enter any information, and the user who would be under the impression that it is being asked by Google to let them continue their Google Meet session, would not even think about anything and will provide all the information to the phishers and hackers.
- Users can act so naively is that they only look at the first part of the URL to judge whether a link is valid or not. So, what they do is that they make the first part, or the beginning of a URL appear totally legitimate.
- The domain name may contain some clues that the URL is fake, but before the users realize this or take time to think about it even, the majority of them already click through the link and are redirected to a fake Google login page.