Wednesday, 19 March 2014

When "usability outweighs the perceived risks" [Google]

Sometimes advantages of used solution outweighs potential security risk, situation like that opens wide field for black hats.


Using Google as proxie is well known topic, ex. google translator, but recently I noticed also content downloading possibility, what creates a way more abuse possibilities.

Blogger "image from web"
When we want to add a new photo from web, there is created request like that:


Opening that link will start downloading image in p.txt file, from address included in "url" parameter.  In this example "". What is exactly my .jpg, just with changed extension to text file. But let's see what can we achieve by changing the "url", or  "rewriteMime" parameter.


1)Malicious file download using google servers:

We can change url parameter to any page or file and thanks to rewriteMime, ( we can give "advice for browser", what to use for opening this file, despite of default .txt format. Some of the browsers use that parameter (ex. firefox). It gives possibility to send malicious file, as google servers (File is being downloaded to google servers firstly and then to client)
So lets make some tests, by downloading files from dropbox and changing their mime parameters:

.docx and .pdf - popular files, often containing exploits.

.zip that may contain malicious .exe


In chrome and IE situation is better, they both recognize files as .txt, despite the Mime parameter change.

2)Bypass downloading content from websites blocked or marked as danger websites

Because everything is going though goggle servers, it lets to use content from sources, that maybe should be blocked for some reasons. So it can work as proxy.

3) Silence malware updates possibility

Default extension of file is .txt, but after downloading there is no problem for malware to change it to exe., so connecting this, with previously talked proxy possibility, it can be used by malware to make updates thought legit google servers.


4) DoS using google servers
During tests, I didnt notice any security, as captcha or requests limit, so it gives possibility to make numerous requests of downloading file from target website and at the end the DoS attack. Attacker could choose big file on website, which using this method will be downloaded many times by fast google servers.


Web developers often encounter this kind of problem, the title which describes it, comes from email that I got from Google:

As we can see in Google opinion possible advantages are higher than the risk. Same situation we can observe right now (27.04), with Facebook, where it's possible to use notes service for downloading content from any website (cause DDos, when many people open the note) (more info: The most realistic solutions seems to be monitoring such a service and trying to catch abuses.


  1. Damn... I am late by 2 months...

    "we can give 'advice for browser', what to use for opening this file, despite of default .txt format. Some of the browsers use that parameter (ex. firefox)"
    Firefox 29.0.1 still tries to open that links by notepad.

    Good job!

  2. What then does it mean to be an educator? Does it signify something different than the assigned job title? What I have learned through my work in higher education is that becoming an educator is not an automatic process. Everyone who is teaching adult students is not functioning as an engaging and highly effective educator. However, it is possible to learn how to educate rather than teach and that requires making a commitment to the profession.

  3. All Assignment Help is a web portal where students get help in making assignments for all the subjects, with the help of our experts. You will get 100% plagiarism free assignment. Expert’s consultation is also available for students. If they have any query they can contact with our experts anytime.
    Java Assignment help

  4. This is where you might have started your search for assignment help.The previous consumers give their feedback on the website to let the other users know about the quality of their service. For example, if you go to the reviews, you can get to know the opinion of different users about their services. You can also check other websites to compare and select the best service for you.

  5. Nice Article Very Helpful ! Thanks for sharing ! Also check sniper 3d assassin epsxe android gta san andreas mod

  6. As an established Australia assignment help organization, we always aim to increase the number of in-house experts we have so that we can offer you the perfect assignment writing help in conventional courses like Management, Law, Engineering, etc. We understand how important academic assessments are in developing a student's career and future opportunities, this is why we take extreme measures to ensure that all our solutions are best-in-class. During higher studies in colleges, students often have to prepare multiple documents, quizzes and surprise tests. This is the main reason why most students search for online assignment help Australia over the internet and choose only the most proficient and trusted academic writing experts. Only while doing research and analysis the structure is altered a little. But somehow that doesn’t seem sufficient enough as students from those top-notch colleges are still opting for online academic assistance in the quest of their respective university assignment help service providers.