Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
congrats for your discover, get you prize [image: 24167992.jpg (1024×768)] On Fri, Mar 14, 2014 at 3:56 PM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Google research not awarded. http://www.techworm.net/2014/03/security-research-finds-flaws-in.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Grato, J. Tozo _ °v° /(S)\SLACKWARE ^ ^ Linux _ because it works ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
. If you can indeed do this as you suspect then your points are valid and you may be able to cause various issues associated with it such as DOS etc - especially if the uploaded files cannot or are not tracked. However... Consider than you are talking to an API and what you are getting back (the JSON response) in your example is simply a response from the API to say the file you uploaded has been received and saved. Now, as you no doubt know, when you upload a regular movie to YouTube, once uploaded it goes away and does some post-processing, converting it to flash for example. What's to say that there isn't some verification aspect to this post-processing that checks if the file is intact a valid movie and if not removes it. If you could for example demonstrate that the file was indeed persistent, by being able to retrieve it for example then again, you would have solid ground to claim an issue however your claims at this point are based on an assumption Let me explain. 1. You have demonstrated than you can send any file to an API and the API returned an acknowledgment of receiving (and saving) the file. 2. You / we don't know what Google do with files once they have been received from the API - maybe they process them and validate them - we simply don't know. 3. You have hypothesized that you can retrieve the file by manipulating tokens etc and you may be right, but you have not demonstrated it as such. Because of this, you seem to have made a CLAIM that you can upload arbitrary files to Google however SHOWN that you can simply send files to an API and an API responds in a certain way. I am NOT saying you haven't found an issue, what I am saying is that you need to demonstrate that the issue is real and thus can be abused. If the Google service simply verifies all uploaded files once they are uploaded and discards them if invalid, then you haven't really found anything. If you were to prove that you were able to retrieve this uploaded file then how could anyone dispute your bug. Hope this helps Cheers! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Grato, J. Tozo _ °v° /(S)\SLACKWARE ^ ^ Linux _ because it works ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google vulnerabilities with PoC
hahahaha you also could send emails to yourself untill fill up the google storages. of course its not a security issue. On Thu, Mar 13, 2014 at 2:33 PM, Brandon Perry bperry.volat...@gmail.comwrote: If you were evil, you could upload huge blobs and just take up space on the google servers. Who knows what will happen if you upload a couple hundred gigs of files. They dont disappear, they are just unretrievable afaict. It is a security risk in the sense that untrusted data is being persisted *somewhere*. Upload a couple terabytes, cause a DoS because some hdd in the DC fills up. Who knows. Sent from a computer On Mar 13, 2014, at 12:28 PM, Michal Zalewski lcam...@coredump.cx wrote: The only reasonable way to 'exploit' the bug is using youtube as a personal storage uploading non-video files to your own profile: so what? That would require a way to retrieve the stored data, which - as I understand - isn't possible here (although the report seems a bit hard-to-parse). From what I recall, you can just upload a blob of data and essentially see it disappear. We do have quite a few services where you can legitimately upload and share nearly-arbitrary content, though. Google Drive is a good example. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Grato, J. Tozo _ °v° /(S)\SLACKWARE ^ ^ Linux _ because it works ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
