OP talks about having the continue page prompt for password, but how is that any different from creating a fake Google password prompt page now? That page would not be on https://accounts.google.com/, and it would not have my personal info displayed, so why would I enter my password? Just because the last thing I did was log into Google? Is that supposed to "put me in the mood"?
If I'm on page A, and I click a link that prompts me for my google credentials, I've either expected that, so I check to make sure it's Google, or I haven't, so I close that tab. If I enter my username and password, or just my password, and then end up at page B, and it prompts me for my password again, it certainly doesn't know my username like the real Google password prompt page did. It looks different, and raises all sorts of flags.
Alternatively, if I'm on page A, and I click on a link that sends me to page B directly, where I'm prompted to enter my username and password, I don't. Why would I? It's not google.com, etc.
There's just no way that this seems like any more of a vulnerability than the open redirector already is.
I check out the URL, it's google.com. The padlock is there.
I sign in. Whoops, must have typed my password in wrong. It happens sometimes. So I type it in correctly.
...I just got phished.
The problem is that the behavior of this exploit mimics almost EXACTLY the expected behavior. The warning flags to even an educated user are not clear at all. It would be so easy to fall for this.
I lack the patience to create a video (kudos!), but I'm still not seeing how this is any more of a vulnerability than just sending someone to that page in the first place? It's not on a google.com URL, which seems immediately obviously to me.
It might help that I always enter my password via command-\, never typing it. So even if I was really not paying any attention, and didn't realize the domain had completely changed, and that my username had disappeared (which still seems unlikely), command-\ wouldn't fill in my credentials, because it's not google.com.
That last page is phishing, for sure. And it's going to fool some number of people, for sure. I'm struggling to think of how that's something Google should do something about though.
I'm not sure I agree. There will be a percentage of users who would see the initial google.com page and not realise the subsequent page was an impostor, especially since Google 'took them there' after they logged in. This doesn't work on you because you have been primed to know what to expect - I reckon at least five percent of people phished this way would not be so observant, and Google should block off-site redirection after login.
OP talks about having the continue page prompt for password, but how is that any different from creating a fake Google password prompt page now? That page would not be on https://accounts.google.com/, and it would not have my personal info displayed, so why would I enter my password? Just because the last thing I did was log into Google? Is that supposed to "put me in the mood"?
If I'm on page A, and I click a link that prompts me for my google credentials, I've either expected that, so I check to make sure it's Google, or I haven't, so I close that tab. If I enter my username and password, or just my password, and then end up at page B, and it prompts me for my password again, it certainly doesn't know my username like the real Google password prompt page did. It looks different, and raises all sorts of flags.
Alternatively, if I'm on page A, and I click on a link that sends me to page B directly, where I'm prompted to enter my username and password, I don't. Why would I? It's not google.com, etc.
There's just no way that this seems like any more of a vulnerability than the open redirector already is.