Hi, The only probable way of exploiting it I can see would be if the servers at Google where the files are uploaded would perform some specific tasks with such files that could result in exploiting a vulnerability in any of the used software (and this is something the "discoverer" failed to probe). An example: Google malware scans the uploaded file with some AV engine and the file is actually an exploit targeting one or more AV products. I don't think this is the case and, even in this case, there wouldn't be any Google's vulnerability but, rather, a vulnerability in another product from another company.
So, in short: this conversation is stupid. There is no vulnerability we can see here and, if there is, it cannot be probed by the discoverer and he and his buddies attach to either ad hominem arguments or to statements like "I am XXX with YYY years of experience doing ZZZ" mistakenly thinking it could back any of their paranoias. What else do we need to discuss here? I think it's time to stop this conversation. And, yes, I know that sending an e-mail to ask for stopping a conversation on FD is stupid too. Regards, Joxean Koret
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
